Re: [Pound Mailing List] POODLE Ciphers !SSLv3 = Protocol or cipher suite mismatch

[chasm]

Hi, we did some testing and research as well. Before poodle we were running five "pound 2.6 pcidss" instances on CentOS 6.5 x86_64 (with openssl-1.0.1e-16.el6_5.14.x86_64 - which had some bugfixes for the heartbleed bugs). With ssllabs.com and some special Cipher settings in the pound https listener we got the ssllabs.com A- Actually, there is an openssl update for CentOS, which will get your CentOS openssl-1.0.1e patched to the official openssl-1.0.1j level. CentOS/Redhat did some backports for the security patches to their "stable" 1.0.1e - so you should upgrade via yum update to: openssl-1.0.1e-30.el6_5.2.x86_64 openssl-devel-1.0.1e-30.el6_5.2.x86_64 This packages are placed at http://mirror.centos.org/centos/6/updates/x86_64/Packages/ Actually this are our upgrade tasks: yum update openssl openssl-devel yum install gperftools-libs gperftools-devel pcre pcre-devel # this will install these packages gperftools-libs-2.0-11.el6.3.x86_64 gperftools-devel-2.0-11.el6.3.x86_64 pcre-7.8-6.el6.x86_64 pcre-devel-7.8-6.el6.x86_64 Get the pound 2.6 pcidss source code: wget https://github.com/goochjj/pound/archive/pcidss/v2.6.zip unzip v2.6.zip ./configure --enable-cert1l --enable-pcreposix --enable-tcmalloc --disable-super make make install In your pound configuration, you need some more complex Ciphers list and the new directives, which were patched into the pcidss branch: ListenHTTPS     Ciphers         "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"     DisableSSLv3     DisableSSLv2 [Attention, this Ciphers directive deactivates RC4 completely - so IE8 on Windows XP will not work with https anymore  Joe Gooch posted a way, where RC4 will be deactivated vor TLS 1.1 and newer only - therefor you need his posted Ciphers directive AND the following two options  Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"  SSLAllowClientRenegotiation     0  SSLHonorCipherOrder     1 # without these two options, you will be degraded to A- on ssllabs.com] After pound restart you will get this result with ssllabs.com (screenshot): Overall Rating A - everything is green. Next week we will get the available 2.6 source packages and replace the source code with the pcidss version to build our own pound 2.6 pcidss rpm. Hopefully the configuration steps will guide you to an secure setup on CentOS systems running pound in stable release. best regards matthias Am 23.10.2014 um 22:09 schrieb alexus: ANNOUNCE: Pound - reverse proxy and load balancer - v2.7d / Robert Segall <ro...@apsis.ch> http://www.apsis.ch/pound/pound_list/archive/2014/2014-10/1413628998000 I see following enhancement was added: - added "Disable PROTO" directives (fix for Poodle vulnerability) currently, I'm using following: [root@6svprx01 ~]# uname -a Linux 6svprx01.XXX.org 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux [root@6svprx01 ~]# rpm -q Pound Pound-2.6-2.el6.x86_64 [root@6svprx01 ~]# grep Ciphers /etc/pound.cfg Ciphers "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM" [root@6svprx01 ~]# ... to address POODLE SSLv3, I added "!SSLv3" into "Ciphers". Yet while using "Qualys SSL Labs - Projects / SSL Server Test" to test, I get "Protocol or cipher suite mismatch" in "Handshake Simulation". Is there a way to address this _WITHOUT_ upgrading to Pound v2.7d (beta) and then using new directives?