Hi Rick, Your current Cipher list is very open if you can give this one a go and let us know the report status (we get an A- with no FS)
EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+ AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:! eNULL:!LOW:!aNULL:!MD5:!DSS If you could also post a sanitised copy of your pound config file we can see what we can do for you. On 9 July 2015 at 22:55, Rick Smith <[email protected]> wrote: > I am running Pound 2.7f from > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip > > I am also running openssl version 1.01p from Jul 9, 2015. > > I am trying to achieve a better ranking for our SSL support. > > I have been able to move up to a C rating but for some reason here are my > results. > > I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES > I enabled the Disable SSLv3 directive and I have the following also > enabled for the listener: > > SSLAllowClientRenegotiation 0 > SSLHonorCipherOrder 1 > > This is after much trial and error. I thought that this upstream version > disabled TLS compression but it appears to still be active. > > Questions: > > 1) How can I disable TLS compression? > 2) Can I enable TLS 1.1 and 1.2? > 3) How can I disable support for weak DH key exchanges? > 4) WHy isn't PFS enabled? I assume the ciphers need fixing? > > Thanks, > > Rick > > > This server supports weak Diffie-Hellman (DH) key exchange parameters. > Grade capped to B. MORE INFO » <https://weakdh.org/> > This server does not mitigate the CRIME attack > <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>. > Grade capped to C. > The server supports only older protocols, but not the current best TLS > 1.2. Grade capped to C. MORE INFO » > <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported> > This server accepts the RC4 cipher, which is weak. Grade capped to B. > MORE INFO » > <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> > The server does not support Forward Secrecy with the reference browsers. > MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy> > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
