Hi Readers, i read the previous article from Rick .. an I had the same Problems.. So I tryed to solve this .. And now I'm getting an "A" qualys SSL-Test. How to... I'm running CentOS 6.6 64-BIT - Downloades latest openssl-Version
wget wget http://www.openssl.org/source/openssl-1.0.1p.tar.gz tar -xzf openssl-1.0.1p.tar.gz cd openssl.. ./config --prefix=/usr --openssldir=/usr/local/openssl-1.0.1p make make test make install # get new pound cd /opt wget https://github.com/goochjj/pound/archive/stage_for_upstream/v2.8a.zip mkdir pound28a cd pound28a ./configure --bindir=/usr/sbin/ --sbindir=/usr/sbin/ --sysconfdir=/etc/ --with-ssl=/usr/local/openssl-1.0.1p # NOW THE DIRTY TRICK modify config.c /* look for this */ ssl_op_enable = SSL_OP_ALL; /* and ADD THIS*/ / * Disable SLL v3 and TLS v1.1 */ /* add this */ ssl_op_enable |= SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1; /* end of modification! THATS it! */ #ifdef SSL_OP_NO_COMPRESSION ssl_op_enable |= SSL_OP_NO_COMPRESSION; #### then make make install in /etc/pound.cfg ListenHTTPS Address 0.0.0.0 Port 443 Cert "/opt/StartmySSL_2015/StartmySSL_07_2015.pem" # DisableSSLv2 does not work with 2.8 # #DisableProto SSLv3 this woul be nice (but not yet implemented) SSLAllowClientRenegotiation 0 SSLHonorCipherOrder 1 Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" Hope that this could help som of the audience! Ralph
