You need OpenSSL 1.0.1d or newer. 1.0.1e was released Feb-2013. (mentioned in the article Connor provided)
When I test with SSLLabs with 2.6 PCI+DSS it works… However do note that Pound does not set ephemeral ECDH keys, which means all the elliptical cipher suites are out of play. I’m not up on this enough at this point to know the best way to fix it. Joe From: Root Kev [mailto:[email protected]] Sent: Thursday, September 12, 2013 1:48 PM To: [email protected] Subject: Re: [Pound Mailing List] Perfect Forward Secrecy SSL Setup Hi, Thanks for replying, we have set the ciphers that are used in the site that you sent, with the latest openssl (OpenSSL 1.0.1 14 Mar 2012), and are already running the version of pound (PCI-DSS patch) to deal with the BEAST exploits. No matter what we seem to do, the browsers always seem to only use the cipher with no forward secrecy... Config example: ListenHTTPS Address 123.456.789.98 Port 443 Cert "/usr/local/etc/certs/wildcard.URL.net.pem" Ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" Client 60 xHTTP 4 SSLHonorCipherOrder 1 Any pointers would be appreciated, Kevin On Thu, Sep 12, 2013 at 11:47 AM, Conor McCarthy <[email protected]<mailto:[email protected]>> wrote: This isn't a Pound specific solution, it covers Apache/OpenSSL, but the same considerations and SSLCipherSuite should apply so hopefully its helps: http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html You *will* need a recent-ish OpenSSL, and you *might* need to run one of the patched Pound versions (e.g. the PCI-DSS version). C. On 12 September 2013 16:24, Root Kev <[email protected]<mailto:[email protected]>> wrote: Hello All, We are having an issue getting forward secrecy working correctly with our pound setup. Can anyone give us an example of a working configuration and/or the ciphers that should be used (or even if the current stable version of pound supports it?). Thanks! Kevin
