Hello, Try this config.
# CIPHER SSLHonorCipherOrder 1 Ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA" Freundliche Grüsse Nino Fink -- Netzwerkabteilung Contria GmbH Steinackerweg 18 4901 Langenthal Tel. +41 62 919 07 90 Fax. +41 62 919 07 99 www.contria.ch 2015-05-21 12:54 GMT+02:00 Daniel <[email protected]>: > Hello, > > i just made a test via ssllabs.com. And i got a grade F for my SSL > connection. > > The issues are : > > This server supports insecure Diffie-Hellman (DH) key exchange parameters. > Grade set to F. > This server supports 512-bit export suites and might be vulnerable to the > FREAK attack. Grade set to F. > This server is vulnerable to the POODLE attack. If possible, disable SSL 3 > to mitigate. Grade capped to C. > This server accepts the RC4 cipher, which is weak. Grade capped to B. > > My pound.cfg is this in the https section: > > ListenHTTPS > HeadRemove "X-Forwarded-Proto" > AddHeader "X-Forwarded-Proto: https" > Address 0.0.0.0 > Port 443 > Cert "/etc/ssl/mydomain.com/mydomain.com.pem" > Ciphers > > "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3" > Service > HeadRequire "Host: mydomain.com" > Redirect "https://www.mydomain.com"; > End > Service > BackEnd > Address 127.0.0.1 > Port 6081 > End > End > End > > Can anyone advise what i need to change to get a better rating and make it > more secure? > > thanks, > > Daniel > >
