Thanks so much guys - it was just as Joseph stated. Pound was linked to the old version of OpenSSL that was installed by Zen. Once I fixed this and compiled again/copied the executables to the locations Zen uses I am seeing an A on the SSL Labs test.
Rick On Fri, Jul 10, 2015 at 2:24 PM, Joe Gooch <[email protected]> wrote: > Configure option: > --with-ssl=directory location of OpenSSL package > > Check the resulting –I and –L options in the Makefile > > If you're not installing your manually compiled openssl library you > probably want to statically compile. You can change the LIBS line from > –lssl –lcrypto to something ilke: > -Wl,-Bstatic /path/to/libssl.a /path/to/libcrypto.a –Wl,-Bdynamic > > Or > -Wl,-Bstatic -L/path/to/openssl/libs –lssl -lcrypto –Wl,–Bdynamic > > Or set appropriate env variables (I.e. LIBRARY_PATH) > > See > > https://stackoverflow.com/questions/4352573/linking-openssl-libraries-to-a-program > > Otherwise, you're likely compiling and linking against the openssl > installed on your system. > > > You can also check by editing your config.c > Find the case 'V': line > After the "Version %s" line, add this > #ifdef SSLEAY_VERSION > logmsg(LOG_DEBUG, "OpenSSL version %s", > SSLeay_version(SSLEAY_VERSION)); > #endif > > Make, as before > ./pound –V > > It'll show you the OpenSSL version. (This might not be a bad thing to > include in the code actually) > Diff version > diff --git i/config.c w/config.c > index 6f29ef5..2be0718 100644 > --- i/config.c > +++ w/config.c > @@ -1732,6 +1732,9 @@ config_parse(const int argc, char **const argv) > case 'V': > print_log = 1; > logmsg(LOG_DEBUG, "Version %s", VERSION); > +#ifdef SSLEAY_VERSION > + logmsg(LOG_DEBUG, "OpenSSL version %s", > SSLeay_version(SSLEAY_VERSION)); > +#endif > logmsg(LOG_DEBUG, " Configuration switches:"); > #ifdef C_SUPER > if(strcmp(C_SUPER, "0")) > > > -- > Joseph Gooch > SapphireK12 > (866) 366-9540 > > Confidentiality Notice: This e-mail transmission may contain > confidential and legally privileged information that is intended only for > the individual named in the e-mail address. If you are not the intended > recipient, you are hereby notified that any disclosure, copying, > distribution, or reliance upon the contents of this e-mail message is > strictly prohibited. If you have received this e-mail transmission in > error, please reply to the sender, so that proper delivery can be arranged, > and please delete the message from your mail box. > > > > From: Rick Smith > Reply-To: "[email protected]" > Date: Friday, July 10, 2015 at 2:40 PM > > To: "[email protected]" > Subject: Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream > > I think you might be right re: pound linking to the wrong headers. > > Any suggestions on fixing that part? > > Rick > > On Fri, Jul 10, 2015 at 1:07 PM, Joe Gooch <[email protected]> > wrote: > >> I don't... Based on our code (which you can verify in config.c) it's >> including the SSL_OP_NO_COMPRESSION directive, and 1.0.1p should include >> that directive. My only guesses are pound isn't using the openssl >> development headers for 1.0.1p, it's linking to a shared library that isn't >> the one you just compiled, or it's linking statically to the wrong ssl >> library. >> >> >> -- >> Joe >> >> Confidentiality Notice: This e-mail transmission may contain confidential >> and legally privileged information that is intended only for the individual >> named in the e-mail address. If you are not the intended recipient, you are >> hereby notified that any disclosure, copying, distribution, or reliance >> upon the contents of this e-mail message is strictly prohibited. If you >> have received this e-mail transmission in error, please reply to the >> sender, so that proper delivery can be arranged, and please delete the >> message from your mail box. >> >> >> >> >> >> >> >> >> From: Rick Smith >> Reply-To: "[email protected]" >> Date: Friday, July 10, 2015 at 12:02 PM >> To: "[email protected]" >> Subject: Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream >> >> >> I compiled 2.7f myself and also compiled the 1.01p openssl. >> >> Any idea why I still see TLS compression enabled? >> >> Rick >> >> >> On Fri, Jul 10, 2015 at 10:24 AM, Joe Gooch >> <[email protected]> wrote: >> >> TLS Compression was disabled in the code in pound 2.7b. If you're >> running 2.7f, then at compile time, it will be disabled. If your >> openssl-dev headers define the SSL_OP_NO_COMPRESSION directive, it uses >> that, otherwise, it uses other workarounds, and in both >> cases it disabled empty fragments. >> >> >> https://github.com/goochjj/pound/commit/c1fe61a96da606d812d9c4edbacb538f9bf8544b >> >> >> Other distributions... Debian, Ubuntu, Fedora - disable TLS compression >> at the library level. If you're using openssl compiled yourself, it may >> not have this patch. Or perhaps you're not using the correct openssl >> headers to compile? >> >> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195 >> >> >> A lot of these best practices (other than using the 2.6 pcidss branch, >> which shouldn't be necessary anymore) also apply >> http://www.apsis.ch/pound/pound_list/archive/2014/2014-10/1414097953000 >> >> >> My sites all show A's, unless I have HSTS enabled. Those show A+. >> >> -- >> Joe >> >> Confidentiality Notice: This e-mail transmission may contain confidential >> and legally privileged information that is intended only for the individual >> named in the e-mail address. If you are not the intended recipient, you are >> hereby notified that any disclosure, >> copying, distribution, or reliance upon the contents of this e-mail >> message is strictly prohibited. If you have received this e-mail >> transmission in error, please reply to the sender, so that proper delivery >> can be arranged, and please delete the message from >> your mail box. >> >> >> >> >> >> >> >> From: Rick Smith >> Reply-To: "[email protected]" >> Date: Friday, July 10, 2015 at 9:37 AM >> To: "[email protected]" >> Subject: Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream >> >> >> With either of the cipher suites given in this thread I am still showing >> vulnerable to the CRIME attack. >> >> With this suite: HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW it >> is showing BEAST and CRIME and no TLS 1.1/1.2 >> >> This one: >> EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS >> >> is showing vulnerable to the CRIME attack (TLS compression). >> >> My main issue is that TLS compression is still enabled for some reason >> even with the 2.7f version of Pound. >> >> Below is the config (sanitized): >> >> ###################################################################### >> ##GLOBAL OPTIONS >> User "root" >> Group "root" >> ## allow PUT and DELETE also (by default only GET, POST and HEAD)?: >> #ExtendedHTTP 0 >> ## Logging: (goes to syslog by default) >> ## 0no logging >> ## 1normal >> ## 2extended >> ## 3Apache-style (common log format) >> #LogFacility local5 >> LogLevel 0 >> ## check timeouts: >> Timeout 45 >> ConnTO 20 >> Alive 10 >> Client 30 >> Control "/tmp/xxxx_pound.socket" >> #HTTP(S) LISTENERS >> ListenHTTPS >> Err414 "/usr/local/zenloadbalancer/config/xxxx_Err414.html" >> Err500 "/usr/local/zenloadbalancer/config/xxxx_Err500.html" >> Err501 "/usr/local/zenloadbalancer/config/xxxx_Err501.html" >> Err503 "/usr/local/zenloadbalancer/config/xxxx_Err503.html" >> Address 192.168.xx.xx >> Port 443 >> xHTTP 0 >> RewriteLocation 0 >> Disable SSLv3 >> >> Cert "/usr/local/zenloadbalancer/config/xxxx.pem" >> Ciphers >> "EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS" >> SSLAllowClientRenegotiation 0 >> SSLHonorCipherOrder 1 >> #ZWACL-INI >> >> Service "xxxx_Backends" >> ##False##HTTPS-backend## >> HeadRequire "Host: >> >> >> xxxx.xxx.com <http://xxxx.xxx.com> <http://xxxx.xxx.com>" >> #Url "" >> #Redirect "" >> #Session >> #Type nothing >> #TTL 120 >> #ID "sessionname" >> #End >> #BackEnd >> >> BackEnd >> Address 192.168.xx.xx >> Port 80 >> TimeOut 10 >> End >> BackEnd >> Address 192.168.xx.xx >> Port 80 >> TimeOut 10 >> End >> BackEnd >> Address 192.168.xx.xx >> Port 80 >> TimeOut 10 >> End >> BackEnd >> Address 192.168.xx.xx >> Port 80 >> TimeOut 10 >> End >> #End >> End >> #ZWACL-END >> >> >> #Service "xxxx" >> ##False##HTTPS-backend## >> #HeadRequire "Host: " >> #Url "" >> #Redirect "" >> #Session >> #Type nothing >> #TTL 120 >> #ID "sessionname" >> #End >> #BackEnd >> >> #End >> #End >> >> >> End >> >> >> >> >> >> On Fri, Jul 10, 2015 at 7:02 AM, Emilio Campos >> <[email protected]> wrote: >> >> By the way, someone can obtain a A+ with pound2.7 or higher? In my case I >> use 2.8.a with only A. >> >> >> Thanks! >> >> >> >> >> 2015-07-10 10:44 GMT+02:00 Scott McKeown >> <[email protected]>: >> >> Hi Mirek, >> >> Thanks, I'm guessing that there must be an additional patch in v2.7 that >> I've not used in our build >> >> Time to do some more testing I guess. >> >> >> >> >> >> On 10 July 2015 at 09:20, Miroslav Danek >> <[email protected]> wrote: >> >> Hi Scott, >> >> i use stable 2.7, CentOS 6.6 + openssl 1.0.1e >> >> >> >> >> >> Mirek >> >> >> On 10. 7. 2015, at 9:56, Scott McKeown <[email protected]> wrote: >> >> Hi Mirek, >> What version of pound are you using for this, we have as of yet net been >> able to get FS with pound... >> >> >> On 10 July 2015 at 08:31, Miroslav Danek >> <[email protected]> wrote: >> >> Hi Rick, >> >> i used this one: >> >> Disable SSLv3 >> SSLAllowClientRenegotiation 0 >> SSLHonorCipherOrder 1 >> Ciphers "HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW" >> >> Result A with FS. >> >> regards >> Mirek >> >> >> On 10. 7. 2015, at 9:07, Scott McKeown <[email protected]> wrote: >> >> Hi Rick, >> >> Your current Cipher list is very open if you can give this one a go and >> let us know the report status (we get an A- with no FS) >> >> >> EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS >> >> >> If you could also post a sanitised copy of your pound config file we can >> see what we can do for you. >> >> >> >> >> >> On 9 July 2015 at 22:55, Rick Smith <[email protected]> wrote: >> >> I am running Pound 2.7f from >> https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip < >> https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip> >> >> I am also running openssl version 1.01p from Jul 9, 2015. >> >> I am trying to achieve a better ranking for our SSL support. >> >> I have been able to move up to a C rating but for some reason here are my >> results. >> >> I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES >> I enabled the Disable SSLv3 directive and I have the following also >> enabled for the listener: >> >> SSLAllowClientRenegotiation 0 >> SSLHonorCipherOrder 1 >> >> >> This is after much trial and error. I thought that this upstream version >> disabled TLS compression but it appears to still be active. >> >> Questions: >> >> 1) How can I disable TLS compression? >> 2) Can I enable TLS 1.1 and 1.2? >> 3) How can I disable support for weak DH key exchanges? >> 4) WHy isn't PFS enabled? I assume the ciphers need fixing? >> >> Thanks, >> >> Rick >> >> >> >> >> This server supports weak Diffie-Hellman (DH) key exchange parameters. >> Grade capped to B. MORE INFO » <https://weakdh.org/> >> This server does not mitigate the CRIME attack < >> https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls >> >. >> Grade capped to C. >> The server supports only older protocols, but not the current best TLS >> 1.2. Grade capped to C. MORE INFO » < >> https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported >> > >> This server accepts the RC4 cipher, which is weak. Grade capped to B. >> MORE INFO » < >> https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what >> > >> The server does not support Forward Secrecy with the reference browsers. >> MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy> >> >> >> >> >> >> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org <http://loadbalancer.org/> >> http://www.loadbalancer.org <http://www.loadbalancer.org/> >> Tel (UK) - +44 (0) 3303801064 <tel:%2B44%20%280%29%203303801064> >> <tel:0%29%203303801064> (24x7) >> Tel (US) - >> +1 888.867.9504 <tel:%2B1%20888.867.9504> <tel:%2B1%20888.867.9504> >> (Toll Free)(24x7) >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org <http://Loadbalancer.org> >> http://www.loadbalancer.org <http://www.loadbalancer.org/> >> Tel (UK) - +44 (0) 3303801064 <tel:%2B44%20%280%29%203303801064> >> <tel:0%29%203303801064> (24x7) >> Tel (US) - >> +1 888.867.9504 <tel:%2B1%20888.867.9504> <tel:%2B1%20888.867.9504> >> (Toll Free)(24x7) >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org >> http://www.loadbalancer.org >> Tel (UK) - +44 (0) >> 3303801064 <tel:3303801064> <tel:3303801064 <tel:3303801064>> (24x7) >> Tel (US) - >> +1 888.867.9504 <tel:%2B1%20888.867.9504> <tel:%2B1%20888.867.9504> >> (Toll Free)(24x7) >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> Load balancer distribution - Open Source Project >> http://www.zenloadbalancer.com >> Distribution list (subscribe): >> [email protected] <mailto: >> [email protected]> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >
