Just thought I'd throw in patches already available. SSLv2 issues, and BEAST attack mitigation, and client renegotiation issues: 1) My SSL Ciphers and Client Renegotiation patch: http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch
Introduces the SSLHonorCipherOrder option (0 or 1) which will set the appropriate openssl option. Allows for BEAST attack mitigation. Introduces the SSLAllowClientRenegotiation (0 1 or 2) option to control whether client renegotiations are disabled, allowed for secure only, allowed for insecure. A setting of 0 eliminates the thc-ssl-dos attack. 2) I think SSLv2 should be disabled by default (using the ssl option to disable it). A config action could reenable it. (Apache's SSLProtocol or similar, maybe SSLEnableSSLv2 or something.) 3) The CSRF issue w/ invalid tags/et al in redirects... http://goochfriend.org/pound_2.6f_xss_redirect_fix.patch URL escapes the redirect_reply page so tags can't be injected. Given the above are necessary to pass some compliance tests, and to lock down vulnerabilities, I'd push for those to be in 2.7, if they weren't already included in 2.6. Joe > -----Original Message----- > From: Robert Segall [mailto:[email protected]] > Sent: Friday, December 30, 2011 9:44 AM > To: [email protected] > Subject: [Pound Mailing List] Pound 2.7 > > Hallo everybody > > New year, new version: we declare open the wish-list for 2.7 features. > Please reply to this with your list of enhancements/patches/wishes. > > Please feel also free to offer comments (supportive or not, as the case > may be) on items that others may post. The more support for a feature, > the better its chances of making it into 2.7. > > Please do NOT post patches in reply - a short description is quite > enough. You can mail me directly if you want to offer patches. > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-32-512 30 19 > > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions.
