Glad it worked for you. Here's an updated version: http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch
This one introduces two new config directives: SSLHonorCipherOrder 0|1 When set to 1, server prefers Ciphers in the order specified. When 0, Server advertises no preference. SSLAllowClientRenegotiation 0|1|2 When set to 0, no client renegotiation will be honored. When 1, secure renegotiation will be honored. When 2, insecure renegotiation will be honored. It will also disable insecure renegotiation on backend HTTPS connections. Given these options, the most secure configuration would be: SSLAllowClientRenegotiation 0 SSLHonorCipherOrder 1 Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" Which mitigates BEAST attacks as outlined here: http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html As well as renegotiation attacks. This should be a slightly cleaner fix which can be more easily integrated into 2.6... but I'm sure there are some things I did which Robert will likely prefer are coded with a different style... I'll let him make that determination. Joe > -----Original Message----- > From: Jorge Fábregas [mailto:[email protected]] > Sent: Sunday, November 06, 2011 9:51 AM > To: [email protected] > Subject: Re: [Pound Mailing List] SSL renegotiation DDoS and Pound > > On 11/02/2011 06:19 PM, Joe Gooch wrote: > > So YMMV, but let me know if you run into any problems and how it > works for you. > > Joe, > > I applied the patch flawlessly and it compiled without problems. I > then > proceeded to verify the server with the THC exploit and indeed it > shows: > > "ERROR: Target has disabled renegotiations." > > I also went to: > > https://www.ssllabs.com/ssldb/index.html > > ..and I get this (as expected): > > "Secure Renegotiation: Supported, with client-initiated renegotiation > disabled" > > Conclusion: Your patch nailed it ! Thanks so much! > > Best regards, > Jorge > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
