Hi Rick, i used this one:
Disable SSLv3 SSLAllowClientRenegotiation 0 SSLHonorCipherOrder 1 Ciphers "HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW" Result A with FS. regards Mirek > On 10. 7. 2015, at 9:07, Scott McKeown <[email protected]> wrote: > > Hi Rick, > > Your current Cipher list is very open if you can give this one a go and let > us know the report status (we get an A- with no FS) > > EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS > > If you could also post a sanitised copy of your pound config file we can see > what we can do for you. > > > > > On 9 July 2015 at 22:55, Rick Smith <[email protected] > <mailto:[email protected]>> wrote: > I am running Pound 2.7f from > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip > <https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip> > > I am also running openssl version 1.01p from Jul 9, 2015. > > I am trying to achieve a better ranking for our SSL support. > > I have been able to move up to a C rating but for some reason here are my > results. > > I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES > I enabled the Disable SSLv3 directive and I have the following also enabled > for the listener: > > SSLAllowClientRenegotiation 0 > SSLHonorCipherOrder 1 > > This is after much trial and error. I thought that this upstream version > disabled TLS compression but it appears to still be active. > > Questions: > > 1) How can I disable TLS compression? > 2) Can I enable TLS 1.1 and 1.2? > 3) How can I disable support for weak DH key exchanges? > 4) WHy isn't PFS enabled? I assume the ciphers need fixing? > > Thanks, > > Rick > > > This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade > capped to B. MORE INFO » <https://weakdh.org/> > This server does not mitigate the CRIME attack > <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>. > Grade capped to C. > The server supports only older protocols, but not the current best TLS 1.2. > Grade capped to C. MORE INFO » > <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported> > This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE > INFO » > <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> > The server does not support Forward Secrecy with the reference browsers. > MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy> > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org <http://www.loadbalancer.org/> > Tel (UK) - +44 (0) 3303801064 (24x7) > Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
