Hi Mirek, What version of pound are you using for this, we have as of yet net been able to get FS with pound...
On 10 July 2015 at 08:31, Miroslav Danek <[email protected]> wrote: > Hi Rick, > > i used this one: > > Disable SSLv3 > SSLAllowClientRenegotiation 0 > SSLHonorCipherOrder 1 > Ciphers "HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW" > > Result A with FS. > > regards > Mirek > > On 10. 7. 2015, at 9:07, Scott McKeown <[email protected]> wrote: > > Hi Rick, > > Your current Cipher list is very open if you can give this one a go and > let us know the report status (we get an A- with no FS) > > EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+ > AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:! > eNULL:!LOW:!aNULL:!MD5:!DSS > > If you could also post a sanitised copy of your pound config file we can > see what we can do for you. > > > > > On 9 July 2015 at 22:55, Rick Smith <[email protected]> wrote: > >> I am running Pound 2.7f from >> https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip >> >> I am also running openssl version 1.01p from Jul 9, 2015. >> >> I am trying to achieve a better ranking for our SSL support. >> >> I have been able to move up to a C rating but for some reason here are my >> results. >> >> I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES >> I enabled the Disable SSLv3 directive and I have the following also >> enabled for the listener: >> >> SSLAllowClientRenegotiation 0 >> SSLHonorCipherOrder 1 >> >> This is after much trial and error. I thought that this upstream version >> disabled TLS compression but it appears to still be active. >> >> Questions: >> >> 1) How can I disable TLS compression? >> 2) Can I enable TLS 1.1 and 1.2? >> 3) How can I disable support for weak DH key exchanges? >> 4) WHy isn't PFS enabled? I assume the ciphers need fixing? >> >> Thanks, >> >> Rick >> >> >> This server supports weak Diffie-Hellman (DH) key exchange parameters. >> Grade capped to B. MORE INFO » <https://weakdh.org/> >> This server does not mitigate the CRIME attack >> <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>. >> Grade capped to C. >> The server supports only older protocols, but not the current best TLS >> 1.2. Grade capped to C. MORE INFO » >> <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported> >> This server accepts the RC4 cipher, which is weak. Grade capped to B. >> MORE INFO » >> <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> >> The server does not support Forward Secrecy with the reference browsers. >> MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy> >> > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > Tel (UK) - +44 (0) 3303801064 (24x7) > Tel (US) - +1 888.867.9504 (Toll Free)(24x7) > > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
