Both pcidss/v2.6 and stage_for_upstream/v2.7c have been updated with patches that implement config options for DisableSSLv3 DisableTLSv10 DisableTLSv11 DisableTLSv12 (if I was going to do one, I might as well do them all)
In addition there's a backend config option TLSFallbackSCSV Each option is only available to you if your OpenSSL library supports it. My research on TLS_FALLBACK_SCSV is that the client has to set this in their Hello header. The server just processes that as part of the handshake. That's why there's only an option for HTTPS backends to use it - the case when pound is the client. HTTPS Listeners should implicitly use this option if it's baked into your openssl library. Stage for upstream branch: https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7c Zip here: https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7c.zip PCIDSS branch https://github.com/goochjj/pound/tree/pcidss/v2.6 Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip Please test and let me know if you have any issues. Joe -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
