Hi Michael, thanks. No i have a A Rate :)
Daniel 2015-05-21 13:14 GMT+02:00 Brückler Michael <[email protected] >: > Hi Daniel, > > > > SSLHonorCipherOrder 1 > > Disable SSLv3 > > Ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 > EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH > EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" > > > > > > Regards, > > Michael > > > > *Von:* Daniel [mailto:[email protected]] > *Gesendet:* Donnerstag, 21. Mai 2015 12:54 > *An:* pound > *Betreff:* [Pound Mailing List] SSL Parameter > > > > Hello, > > > > i just made a test via ssllabs.com. And i got a grade F for my SSL > connection. > > > > The issues are : > > > > This server supports insecure Diffie-Hellman (DH) key exchange parameters. > Grade set to F. > > This server supports 512-bit export suites and might be vulnerable to the > FREAK attack. Grade set to F. > > This server is vulnerable to the POODLE attack. If possible, disable SSL 3 > to mitigate. Grade capped to C. > > This server accepts the RC4 cipher, which is weak. Grade capped to B. > > > > My pound.cfg is this in the https section: > > > > ListenHTTPS > > HeadRemove "X-Forwarded-Proto" > > AddHeader "X-Forwarded-Proto: https" > > Address 0.0.0.0 > > Port 443 > > Cert "/etc/ssl/mydomain.com/mydomain.com.pem" > > Ciphers > > "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3" > > Service > > HeadRequire "Host: mydomain.com" > > Redirect "https://www.mydomain.com"; > > End > > Service > > BackEnd > > Address 127.0.0.1 > > Port 6081 > > End > > End > > End > > > > Can anyone advise what i need to change to get a better rating and make it > more secure? > > > > thanks, > > > > Daniel > > >
