You probably want to do something more like: Ciphers “HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL”
But that should pretty much do it. Maybe try the tester at https://www.ssllabs.com/ssldb/index.html and see what it says about your sslv2 support. There’s an option that can be set in the pound code (SSL_OP_NO_SSLv2)… But I’m not sure if it’s going to help or not. If you want to try it, open config.c and replace all instances of SSL_OP_ALL with SSL_OP_ALL|SSL_OP_NO_SSLv2 Otherwise, you may want to try compiling openssl without sslv2 support. (http://adamyoung.net/Disable-SSLv2-System-Wide) I believe ubuntu does this as part of their distro. (which is making it harder for me to test, because my libraries don’t support sslv2 anyway) Let me know what you find! Joe From: Robert Hicks [mailto:[email protected]] Sent: Monday, November 28, 2011 11:57 AM To: [email protected] Subject: [Pound Mailing List] Disabling SSLv2 All, I'm new the list but have been using Pound for several years. I'm trying to get Pound to pass PCI/DSS. My scanning vendor is failing it, indicating that SSLv2 is enabled. My Ciphers parameter in pound.cfg is as follows: ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/contractpal.net.pem" Err414 "/etc/pound_414.html" Err500 "/etc/pound_500.html" Err501 "/etc/pound_501.html" Err503 "/etc/pound_503.html" Ciphers "-ALL +SSLv3 +TLSv1" When I run a test to see if Pound is accepting SSLv2 connections, I get the following: New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 What do I need to do to disable SSLv2? Rob
