Hi,
I'm trying to disable sslv3 with the "no-sslv3" bind option, but it's
not working.
The option is accepted and the restart is successful, but sslv3 is still
accepted:
$ openssl s_client -ssl3 -connect localhost:443
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID:
D74EC1760F565669B7CD8D21636D05AABC9E047DAC94133E62240B3824EB8176
Session-ID-ctx:
Master-Key:
11417200F033C2B542B4FA3A7DC3C00214EFE92C7709FD406014D047D75DBA40573447ED5808962211AF323860367DEE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413900818
double checked with nmap.
Tested with haproxy 1.5.3 and 1.5.4 on Ubuntu 14.10, Fedora 20 and Centos 7.
Config is as simple as:
frontend myfrontend
bind 0.0.0.0:443 ssl crt /etc/haproxy/mycert.pem no-sslv3
default_backend mybackend
reqadd X-Forwarded-Proto:\ https
I've also tried disabling tls too, and that seems to have no effect either.
Lots of people are recommending this as a fix against the POODLE vuln,
so it's quite critical! Any thoughts?
Thanks,
John.
--
http://brightbox.com
