Re: [Pound Mailing List] SSL Parameter

Thu, 21 May 2015 07:43:18 -0700 

I have to add:

1.) Try the new config.
2.) Disable SSLv3 (if not needed disable sslv2) (an easy way would be to
use libressl)

Keep in mind that you might loose compatibility with Windows XP IE 6 - IE 8.

Freundliche Grüsse
Nino Fink

-- 
Netzwerkabteilung

Contria GmbH
Steinackerweg 18
4901 Langenthal

Tel.  +41 62 919 07 90
Fax. +41 62 919 07 99
www.contria.ch

2015-05-21 16:21 GMT+02:00 Nino Fink, Contria GmbH <[email protected]>:

> Hello,
>
> Try this config.
>
> #       CIPHER
>
> SSLHonorCipherOrder 1
>
> Ciphers
> "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA"
>
> Freundliche Grüsse
> Nino Fink
>
> --
> Netzwerkabteilung
>
> Contria GmbH
> Steinackerweg 18
> 4901 Langenthal
>
> Tel.  +41 62 919 07 90
> Fax. +41 62 919 07 99
> www.contria.ch
>
> 2015-05-21 12:54 GMT+02:00 Daniel <[email protected]>:
>
>> Hello,
>>
>> i just made a test via ssllabs.com. And i got a grade F for my SSL
>> connection.
>>
>> The issues are :
>>
>> This server supports insecure Diffie-Hellman (DH) key exchange
>> parameters. Grade set to F.
>> This server supports 512-bit export suites and might be vulnerable to the
>> FREAK attack. Grade set to F.
>> This server is vulnerable to the POODLE attack. If possible, disable SSL
>> 3 to mitigate. Grade capped to C.
>> This server accepts the RC4 cipher, which is weak. Grade capped to B.
>>
>> My pound.cfg is this in the https section:
>>
>> ListenHTTPS
>>     HeadRemove "X-Forwarded-Proto"
>>     AddHeader  "X-Forwarded-Proto: https"
>>     Address    0.0.0.0
>>     Port       443
>>     Cert       "/etc/ssl/mydomain.com/mydomain.com.pem"
>>     Ciphers
>>  
>> "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3"
>>     Service
>>         HeadRequire "Host: mydomain.com"
>>         Redirect "https://www.mydomain.com";
>>     End
>>     Service
>>         BackEnd
>>             Address 127.0.0.1
>>             Port    6081
>>         End
>>     End
>> End
>>
>> Can anyone advise what i need to change to get a better rating and make
>> it more secure?
>>
>> thanks,
>>
>> Daniel
>>
>>
>

Reply via email to