Hi, Thanks for replying, we have set the ciphers that are used in the site that you sent, with the latest openssl (OpenSSL 1.0.1 14 Mar 2012), and are already running the version of pound (PCI-DSS patch) to deal with the BEAST exploits. No matter what we seem to do, the browsers always seem to only use the cipher with no forward secrecy...
Config example: ListenHTTPS Address 123.456.789.98 Port 443 Cert "/usr/local/etc/certs/wildcard.URL.net.pem" Ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" Client 60 xHTTP 4 SSLHonorCipherOrder 1 Any pointers would be appreciated, Kevin On Thu, Sep 12, 2013 at 11:47 AM, Conor McCarthy <[email protected]>wrote: > This isn't a Pound specific solution, it covers Apache/OpenSSL, but the > same considerations and SSLCipherSuite should apply so hopefully its helps: > > > http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html > > You *will* need a recent-ish OpenSSL, and you *might* need to run one of > the patched > Pound versions (e.g. the PCI-DSS version). > > C. > > > > On 12 September 2013 16:24, Root Kev <[email protected]> wrote: > >> Hello All, >> >> We are having an issue getting forward secrecy working correctly with our >> pound setup. Can anyone give us an example of a working configuration >> and/or the ciphers that should be used (or even if the current stable >> version of pound supports it?). >> >> Thanks! >> >> Kevin >> > >
