I am running Pound 2.7f from https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip
I am also running openssl version 1.01p from Jul 9, 2015. I am trying to achieve a better ranking for our SSL support. I have been able to move up to a C rating but for some reason here are my results. I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES I enabled the Disable SSLv3 directive and I have the following also enabled for the listener: SSLAllowClientRenegotiation 0 SSLHonorCipherOrder 1 This is after much trial and error. I thought that this upstream version disabled TLS compression but it appears to still be active. Questions: 1) How can I disable TLS compression? 2) Can I enable TLS 1.1 and 1.2? 3) How can I disable support for weak DH key exchanges? 4) WHy isn't PFS enabled? I assume the ciphers need fixing? Thanks, Rick This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO » <https://weakdh.org/> This server does not mitigate the CRIME attack <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>. Grade capped to C. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO » <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported> This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> The server does not support Forward Secrecy with the reference browsers. MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy>
