On 25 February 2014 11:12, Ute Carstens <[email protected]> wrote: > > Hi, > > thank you for answering, but that doesn't really help. > We use Pound-2.7b on a Debian wheezy with openssl 1.0.1e. > openssl ciphers -v "ALL:-SSLv3" returns only TLSv1.2 ciphers. > (And I tried so many combinations now, that I got sick) > > The customer wants TLSv1.1 and TLSv1.2 active and only SSLv3 > and TLSv1.0 disabled. If this is not possible, only SSLv3 > disabled. > > Within OpenSSL itself, the string "TLSv1.1" is not supported as an alias, whereas TLSv1.2 is (in 1.0.1f, see the "protocol version aliases" in ssl/ssl_ciph.c)
This is presumably intentional if there are no v1.1 specific ciphers (AFAIK TLSv1.1 simply removed the export ciphers relative to TLSv1.0). In any case, ciphers and protocol versions are distinct concepts, this kind of thing would work if you wanted to fudge enforcing TLSv1.2 and had the option of selecting strictly TLSv1.2 ciphers, but not for this. > For SSLv2 there was the DisableSSLv2 option. I hoped there > could be something similar for SSLv3. If not, perhaps we need a > different solution. > > (You could rebuild OpenSSL with the following defined OPENSSL_NO_SSL2 OPENSSL_NO_SSL3 *but* unlike the OpenSSL API SSL_OP_NO_xxx there is only "OPENSSL_NO_TLS1" with no granularity for 1.0/1.1/1.2, so building with OPENSSL_NO_TLS1 too will break things, badly...) The options right now are to modify Pound's config.c: 1. (2.6 or 2.7) add calls SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3); SSL_CTX_set_options(pc->ctx, SSL_OP_NO_TLSv1); within the final for() loop of function parse_HTTPS(). 2. (2.7 only) add SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 to the or-ed list in "ssl_op_enable" (line #912) The way the OpenSSL API works (AFAICT) is that you can initialise it with just one protocol by calling the version specific XXX_client_method() and/or XXX_server_method() functions -or- more usually for a server, you initialise it with everything (SSL23_server_method()) and selectively disable. This should be a fairly straightforward patch to add this, as a simple variation on DisableSSLv2 as you suggest. The above only affects https Listeners, further changes would be required for HTTPS connections to backends (the same applies to DisableSSLv2). C. > Kind Regards > > Ute > > > Hi, > > > > Pound uses OpenSSL for SSL/TLS. That means all the available features > > depend on your OpenSSL installation. > > > > There is a directive "Ciphers" for defining custom cipher lists in the > > Pound configuration file (see Pound manual page). It expects a regular > > OpenSSL cipher list. A leading exclamation mark excludes a cipher. For > > Example: > > > > Ciphers "ALL:!SSLv2" > > > > You can use OpenSSL to test and check cipher lists. The command "openssl > > ciphers -v 'ALL:!SSLv2'" is a good starting point ... take a look at the > > manual page (man ciphers) or search Google for OpenSSL cipher lists. > > > > Hope this helps :-) > > > > Kind regards, > > Leo > > > > > > On 02/24/2014 04:54 PM, Ute Carstens wrote: > > > Is it possible to disable SSLv3? The german BSI recommends > > > it and one of our customers wants us to disable SSLv3 on the > > > pound-instance we configured for them. > > > > > > If not - Is it possible to loadbalance the SSL-Traffic and > > > let the Tomcat servers terminate the SSL-Session? > > > > > > Kind Regards > > > > > > Ute > > > > > > -- > > > To unsubscribe send an email with subject unsubscribe to > [email protected]. > > > Please contact [email protected] for questions. > > > > > > > > > -- > > To unsubscribe send an email with subject unsubscribe to [email protected]. > > Please contact [email protected] for questions. > > -- > Pelikan & Partner WWW : http://www.ppp.net > PPP Internetdienstleistungen GmbH E-Mail : [email protected] > Holzdamm 40 Telefon : +49-40-284022-40 > 20099 Hamburg Telefax : +49-40-284022-42 > > Geschäftsführer: Lutz Pelikan, Martin Stöckle > Sitz: Hamburg, Amtsgericht: Hamburg, HRB 63374 > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. >
