Hi! thank you very much. Your patch worked fine for me.
Kind regards Ute > On 25 February 2014 11:12, Ute Carstens <[email protected]> wrote: > > > > > Hi, > > > > thank you for answering, but that doesn't really help. > > We use Pound-2.7b on a Debian wheezy with openssl 1.0.1e. > > openssl ciphers -v "ALL:-SSLv3" returns only TLSv1.2 ciphers. > > (And I tried so many combinations now, that I got sick) > > > > The customer wants TLSv1.1 and TLSv1.2 active and only SSLv3 > > and TLSv1.0 disabled. If this is not possible, only SSLv3 > > disabled. > > > > > Within OpenSSL itself, the string "TLSv1.1" is not supported as an > alias, whereas TLSv1.2 is (in 1.0.1f, see the "protocol version aliases" > in ssl/ssl_ciph.c) > > This is presumably intentional if there are no v1.1 specific ciphers > (AFAIK TLSv1.1 simply removed the export ciphers relative to TLSv1.0). > > In any case, ciphers and protocol versions are distinct concepts, > this kind of thing would work if you wanted to fudge enforcing TLSv1.2 > and had the option of selecting strictly TLSv1.2 ciphers, but not for > this. > > > > For SSLv2 there was the DisableSSLv2 option. I hoped there > > could be something similar for SSLv3. If not, perhaps we need a > > different solution. > > > > > (You could rebuild OpenSSL with the following defined > OPENSSL_NO_SSL2 > OPENSSL_NO_SSL3 > > *but* unlike the OpenSSL API SSL_OP_NO_xxx there is only > "OPENSSL_NO_TLS1" with no granularity for 1.0/1.1/1.2, so > building with OPENSSL_NO_TLS1 too will break things, badly...) > > The options right now are to modify Pound's config.c: > 1. (2.6 or 2.7) add calls > SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3); > SSL_CTX_set_options(pc->ctx, SSL_OP_NO_TLSv1); > within the final for() loop of function parse_HTTPS(). > > 2. (2.7 only) add SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 > to the or-ed list in "ssl_op_enable" (line #912) > > The way the OpenSSL API works (AFAICT) is that you can > initialise it with just one protocol by calling the version specific > XXX_client_method() and/or XXX_server_method() functions > -or- more usually for a server, you initialise it with everything > (SSL23_server_method()) and selectively disable. > > This should be a fairly straightforward patch to add this, as > a simple variation on DisableSSLv2 as you suggest. > > The above only affects https Listeners, further changes would > be required for HTTPS connections to backends (the same applies > to DisableSSLv2). > > C. > > > > > Kind Regards > > > > Ute > > > > > Hi, > > > > > > Pound uses OpenSSL for SSL/TLS. That means all the available features > > > depend on your OpenSSL installation. > > > > > > There is a directive "Ciphers" for defining custom cipher lists in the > > > Pound configuration file (see Pound manual page). It expects a regular > > > OpenSSL cipher list. A leading exclamation mark excludes a cipher. For > > > Example: > > > > > > Ciphers "ALL:!SSLv2" > > > > > > You can use OpenSSL to test and check cipher lists. The command "openssl > > > ciphers -v 'ALL:!SSLv2'" is a good starting point ... take a look at the > > > manual page (man ciphers) or search Google for OpenSSL cipher lists. > > > > > > Hope this helps :-) > > > > > > Kind regards, > > > Leo > > > > > > > > > On 02/24/2014 04:54 PM, Ute Carstens wrote: > > > > Is it possible to disable SSLv3? The german BSI recommends > > > > it and one of our customers wants us to disable SSLv3 on the > > > > pound-instance we configured for them. > > > > > > > > If not - Is it possible to loadbalance the SSL-Traffic and > > > > let the Tomcat servers terminate the SSL-Session? > > > > > > > > Kind Regards > > > > > > > > Ute > > > > > > > > -- > > > > To unsubscribe send an email with subject unsubscribe to > > [email protected]. > > > > Please contact [email protected] for questions. > > > > > > > > > > > > > -- > > > To unsubscribe send an email with subject unsubscribe to [email protected]. > > > Please contact [email protected] for questions. > > > > -- > > Pelikan & Partner WWW : http://www.ppp.net > > PPP Internetdienstleistungen GmbH E-Mail : [email protected] > > Holzdamm 40 Telefon : +49-40-284022-40 > > 20099 Hamburg Telefax : +49-40-284022-42 > > > > Geschäftsführer: Lutz Pelikan, Martin Stöckle > > Sitz: Hamburg, Amtsgericht: Hamburg, HRB 63374 > > > > -- > > To unsubscribe send an email with subject unsubscribe to [email protected]. > > Please contact [email protected] for questions. > > -- Pelikan & Partner WWW : http://www.ppp.net PPP Internetdienstleistungen GmbH E-Mail : [email protected] Holzdamm 40 Telefon : +49-40-284022-40 20099 Hamburg Telefax : +49-40-284022-42 Geschäftsführer: Lutz Pelikan, Martin Stöckle Sitz: Hamburg, Amtsgericht: Hamburg, HRB 63374 -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
