On Thursday 23 October 2014 16:09:37 alexus wrote: > ANNOUNCE: Pound - reverse proxy and load balancer - v2.7d / Robert > Segall <[email protected]> > http://www.apsis.ch/pound/pound_list/archive/2014/2014-10/1413628998000 > > I see following enhancement was added: > - added "Disable PROTO" directives (fix for Poodle vulnerability) > > currently, I'm using following: > > [root@6svprx01 ~]# uname -a > Linux 6svprx01.XXX.org 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 > 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux > [root@6svprx01 ~]# rpm -q Pound > Pound-2.6-2.el6.x86_64 > [root@6svprx01 ~]# grep Ciphers /etc/pound.cfg > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM" > [root@6svprx01 ~]# > > ... to address POODLE SSLv3, I added "!SSLv3" into "Ciphers". > > Yet while using "Qualys SSL Labs - Projects / SSL Server Test" to > test, I get "Protocol or cipher suite mismatch" in "Handshake > Simulation". > > Is there a way to address this _WITHOUT_ upgrading to Pound v2.7d > (beta) and then using new directives?
You can also upgrade to the 2.6 pcidss branch and then use new directives, but you cannot fix POODLE with the stock EPEL version of Pound unless you *only* need TLSv1.2 support. The reason for this is that most (if not all) "SSLv3" ciphers are also useable with TLSv1+, and so by disabling "SSLv3" ciphers, you're actually disabling all of your TLSv1 and TLSv1.1 ciphers as well, leaving only TLSv1.2 ciphers (which are not well supported yet). - Neil -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
