Take a look at this thread for a explanation why you end up with TLS v1.2: http://openssl.6102.n7.nabble.com/openssl-not-showing-any-TLS-1-1-chiper-suites-td36871.html
I'm no SSL/TLS expert but in my opinion 'HIGH:!SSLv3:!SSLv2" is what you want. Regards, Leo On 02/25/2014 12:12 PM, Ute Carstens wrote: > Hi, > > thank you for answering, but that doesn't really help. > We use Pound-2.7b on a Debian wheezy with openssl 1.0.1e. > openssl ciphers -v "ALL:-SSLv3" returns only TLSv1.2 ciphers. > (And I tried so many combinations now, that I got sick) > > The customer wants TLSv1.1 and TLSv1.2 active and only SSLv3 > and TLSv1.0 disabled. If this is not possible, only SSLv3 > disabled. > > For SSLv2 there was the DisableSSLv2 option. I hoped there > could be something similar for SSLv3. If not, perhaps we need a > different solution. > > Kind Regards > > Ute > >> Hi, >> >> Pound uses OpenSSL for SSL/TLS. That means all the available features >> depend on your OpenSSL installation. >> >> There is a directive "Ciphers" for defining custom cipher lists in the >> Pound configuration file (see Pound manual page). It expects a regular >> OpenSSL cipher list. A leading exclamation mark excludes a cipher. For >> Example: >> >> Ciphers "ALL:!SSLv2" >> >> You can use OpenSSL to test and check cipher lists. The command "openssl >> ciphers -v 'ALL:!SSLv2'" is a good starting point ... take a look at the >> manual page (man ciphers) or search Google for OpenSSL cipher lists. >> >> Hope this helps :-) >> >> Kind regards, >> Leo >> >> >> On 02/24/2014 04:54 PM, Ute Carstens wrote: >>> Is it possible to disable SSLv3? The german BSI recommends >>> it and one of our customers wants us to disable SSLv3 on the >>> pound-instance we configured for them. >>> >>> If not - Is it possible to loadbalance the SSL-Traffic and >>> let the Tomcat servers terminate the SSL-Session? >>> >>> Kind Regards >>> >>> Ute >>> >>> -- >>> To unsubscribe send an email with subject unsubscribe to [email protected]. >>> Please contact [email protected] for questions. >>> >> >> -- >> To unsubscribe send an email with subject unsubscribe to [email protected]. >> Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
