Hello Andreas,
On Mon, Apr 29, 2013 at 9:57 AM, Andreas Hilboll <[email protected]> wrote:
> Hi,
>
> a recent PCI-DSS scan revealed the following vulnerabilities on our
> system:
>
> CVE-2011-3389: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability
> CVE-2012-4929: SSL/TLS Compression Algorithm Information Leakage
> Vulnerability
>
> For 2011-3389, I need to disable ciphers deemed unsecure. The solution
> for Apache would be this:
>
> SSLHonorCipherOrder On
> SSLCipherSuite RC4-SHA:HIGH:!ADH
>
Pound 2.7a contains a fix, at GoodData we use the following configuration:
Ciphers "!EXPORT:!SSLv2:!MD5:!aNULL:!NULL:!LOW:RC4:RSA:ALL"
SSLHonorCipherOrder 1
For 2012-4929, I need to turn off SSL Compression.
>
This is what we use to address the issue (not sure what's needed in order
to get that patch merged):
http://www.apsis.ch/pound/pound_list/archive/2013/2013-02/1360766010000#1360766010000
Our setup with stock el6 openssl (1.0.0) yields the following result.
https://www.ssllabs.com/ssltest/analyze.html?d=secure.gooddata.com
>
> How can I achieve these two points with Pound 2.6 on Debian Squeeze?
>
You need to rebuild your package.
Maybe it would be a good idea to file bug reports with your distribution?
>
> Thanks a lot for your help!
>
Hope that helps!
--
Lubomir Rintel <[email protected]>
GoodData code indentation aesthetic specialist
