I'm guessing that the SSLNoFragment & SSLNoCompression options didn't make it into the latest build or got a name change. You should be alright to remove these two options as they do what the name suggests.
I've not built a 2.7 version yet but it is on my to-do-list. On 21 May 2015 at 12:48, Daniel <[email protected]> wrote: > Hi, > > i just updated it to : > > Version 2.7f > Configuration switches: > --enable-cert1l > --with-dh=2048 > > > But when i use this Options > > DisableSSLv2 DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 > > it shows this error : unknown directive > > thanks > > > > 2015-05-21 13:17 GMT+02:00 Scott McKeown <[email protected]>: > >> Hi Daniel, >> >> First off what version on Pound are you running? >> >> There were a few patch files written a while back that should resolve >> most of these issues and if I remember correctly are in the latest build: >> >> Try adding the following options into your configuration file: >> SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2 >> DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 >> >> You may also need to change your Cipher List to some thing like: >> >> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH >> >> >> >> On 21 May 2015 at 11:54, Daniel <[email protected]> wrote: >> >>> Hello, >>> >>> i just made a test via ssllabs.com. And i got a grade F for my SSL >>> connection. >>> >>> The issues are : >>> >>> This server supports insecure Diffie-Hellman (DH) key exchange >>> parameters. Grade set to F. >>> This server supports 512-bit export suites and might be vulnerable to >>> the FREAK attack. Grade set to F. >>> This server is vulnerable to the POODLE attack. If possible, disable SSL >>> 3 to mitigate. Grade capped to C. >>> This server accepts the RC4 cipher, which is weak. Grade capped to B. >>> >>> My pound.cfg is this in the https section: >>> >>> ListenHTTPS >>> HeadRemove "X-Forwarded-Proto" >>> AddHeader "X-Forwarded-Proto: https" >>> Address 0.0.0.0 >>> Port 443 >>> Cert "/etc/ssl/mydomain.com/mydomain.com.pem" >>> Ciphers >>> >>> "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3" >>> Service >>> HeadRequire "Host: mydomain.com" >>> Redirect "https://www.mydomain.com"; >>> End >>> Service >>> BackEnd >>> Address 127.0.0.1 >>> Port 6081 >>> End >>> End >>> End >>> >>> Can anyone advise what i need to change to get a better rating and make >>> it more secure? >>> >>> thanks, >>> >>> Daniel >>> >>> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org >> http://www.loadbalancer.org >> Tel (UK) - +44 (0) 3303801064 (24x7) >> Tel (US) - +1 888.867.9504 (Toll Free)(24x7) >> > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
