Correction: That should say, "I added !3DES to the list of Ciphers...."
And that fixed my problem. -b On Tue, Dec 12, 2017 at 4:28 PM, Brad Allison <[email protected]> wrote: > Nevermind. I found the solution. > > I added !DES to the list of Ciphers to exclude and it excluded those two > CBC3 based ciphers. > > Ciphers "ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:!3DES:!DES:!MD5:! > PSK:!RC4:!DH:!LOW:+HIGH:+MEDIUM" > > > On Tue, Dec 12, 2017 at 4:04 PM, Brad Allison <[email protected]> > wrote: > >> Here's my Ciphers in pound.cfg: >> >> Ciphers "ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:!DES:!MD5:!PSK:!RC4:! >> DH:!LOW:+HIGH:+MEDIUM" >> >> >> Then I do a sslscan on the pound server and save the data to >> /tmp/sslscan.out, >> >> First I check for MD5: >> >> brad.allison@devops-west:/usr/local/devops/bin> grep MD5 >> /tmp/sslscan.out | wc -l >> 0 >> >> >> Then I check for RC4: >> >> brad.allison@devops-west:/usr/local/devops/bin> grep RC4 >> /tmp/sslscan.out | wc -l >> 0 >> >> >> Then I check for DES: >> >> brad.allison@devops-west:/usr/local/devops/bin> grep DES >> /tmp/sslscan.out | wc -l >> 6 >> >> brad.allison@devops-west:/usr/local/devops/bin> grep DES >> /tmp/sslscan.out >> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA >> Accepted TLSv1 112 bits DES-CBC3-SHA >> Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA >> Accepted TLS11 112 bits DES-CBC3-SHA >> Accepted TLS12 112 bits ECDHE-RSA-DES-CBC3-SHA >> Accepted TLS12 112 bits DES-CBC3-SHA >> >> >> >> So why is it allowing DES support when I have !DES in my Ciphers list? >> >> -brad >> > >
