Hi there. I have used the pound patch
http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.patch on the last stable version of Pound, but when I applied the patch it gave me a rejection file (config.c.rej) with: @@ -1022,6 +1033,23 @@ lin[matches[1].rm_eo] = '\0'; if((res->add_head = strdup(lin + matches[1].rm_so)) == NULL) conf_err("AddHeader config: out of memory - aborted"); + } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) { + res->allow_client_reneg = atoi(lin + matches[1].rm_so); + if (res->allow_client_reneg == 2) { + ssl_op_enable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + ssl_op_disable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_ RENEGOTIATION; + } else { + ssl_op_disable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + ssl_op_enable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + } + } else if(!regexec(&SSLHonorCipherOrder, lin, 4, matches, 0)) { + if (atoi(lin + matches[1].rm_so)) { + ssl_op_enable |= SSL_OP_CIPHER_SERVER_PREFERENCE; + ssl_op_disable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; + } else { + ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE; + ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; + } } else if(!regexec(&Ciphers, lin, 4, matches, 0)) { has_other = 1; if(res->ctx == NULL) What I have done to solve it and include those options in the pound.cfg, was to remove these lines from config.c: } else { if((res->add_head = realloc(res->add_head, strlen(res->add_head) + strlen(lin + matches[1].rm_so) + 3)) == NULL) conf_err("AddHeader config: out of memory - aborted"); strcat(res->add_head, "\r\n"); strcat(res->add_head, lin + matches[1].rm_so); } But I don't know what are the implications of that. Is there any problem when removing these lines? Thanks. -- Ricardo Santos
