Re: [Pound Mailing List] POODLE, Pound and Branches

Thu, 23 Oct 2014 18:34:37 -0700 

Joe,
Thanks very much for writing this up. My sites were stuck @ A- because of PFS 
and this was just the tweak I needed to get up to A+

One minor typo correction below is this should read:
        openssl dhparam -5 2048 -out dh2048.pem

Also, folks may want to specify the full path to the resulting dh2048.pem in 
their configurations to avoid any problems on service restart.

-T

On Oct 23, 2014, at 1:59 PM, Joe Gooch wrote:

> If you're running the official 2.7d (or higher) branch, you do so with:
>  Disable SSLv3
> 
> which also implicitly disables SSLv2.
> 
> To get an A on SSLLabs, you'll need to do *more* than that.  I run this:
> 8<----------------
> #dh2048.pem generated with openssl dhparams -5 2048 -out dh2048.pem
> DHParams        "dh2048.pem"
> ECDHCurve       prime256v1
> 
> ListenHTTPS
>   .....
>        SSLAllowClientRenegotiation     0
>        SSLHonorCipherOrder     1
> 
>        Ciphers           
> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"
>    .....
> 8<----------------
> 
> If you need Java 6 support, you need to do DH 1024 bit instead of 2048
> bit. (Pound's default for strong ciphers)
> If you're not interested in RC4 compatibility for older browsers, use a
> Ciphers line more like this:
>        Ciphers           
> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
> 
> You need to be running OpenSSL 1.0+ for this to make any difference. 
> Otherwise you won't have ECDHE or half the ciphers I've listed.  And for
> FALLBACK_SCSV reasons, you're going to want OpenSSL 1.0.1j or better, or
> if you're using 1.0.0 you'll want 1.0.0o or better.  (See US-CERT
> Advisory here
> https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities)


--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.

Reply via email to