Thanks again Ralph for this great post. Just a little notice about the OpenSSL install from make. When you use the “/usr” prefix, that tells OpenSSL to install the binaries into the standard locations - /usr/local/lib, /usr/lib, etc. Eventhough you specify the openssldir option, the prefix takes precedence.
This becomes a problem if you are testing a new version of openssl with a new pound on a system that has openssl installed via yum. So you should forgo the /usr prefix and just use openssldir when you build the openssl distro. Then when you use the –with-ssl option in the pound configure, it will get the correct libraries. The pound “configure” assumes that the openssl libraries are in –with-ssl/lib, which they will not be if you specify the prefix=/usr when you install openSSL from distro. I figured this out after a couple of hours of getting missing symbol errors on an old centos 5 system. Thanks Ralph!! -- jake From: Ralph Gottschalkson [mailto:[email protected]] Sent: Friday, July 31, 2015 5:57 AM To: [email protected] Subject: [Pound Mailing List] Avoid [i hope] Crime vulnerability on 2.7f upstream Hi Readers, i read the previous article from Rick .. an I had the same Problems.. So I tryed to solve this .. And now I'm getting an "A" qualys SSL-Test. How to... I'm running CentOS 6.6 64-BIT - Downloades latest openssl-Version wget wget http://www.openssl.org/source/openssl-1.0.1p.tar.gz tar -xzf openssl-1.0.1p.tar.gz cd openssl.. ./config --prefix=/usr --openssldir=/usr/local/openssl-1.0.1p make make test make install # get new pound cd /opt wget https://github.com/goochjj/pound/archive/stage_for_upstream/v2.8a.zip mkdir pound28a cd pound28a ./configure --bindir=/usr/sbin/ --sbindir=/usr/sbin/ --sysconfdir=/etc/ --with-ssl=/usr/local/openssl-1.0.1p # NOW THE DIRTY TRICK modify config.c /* look for this */ ssl_op_enable = SSL_OP_ALL; /* and ADD THIS*/ / * Disable SLL v3 and TLS v1.1 */ /* add this */ ssl_op_enable |= SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1; /* end of modification! THATS it! */ #ifdef SSL_OP_NO_COMPRESSION ssl_op_enable |= SSL_OP_NO_COMPRESSION; #### then make make install in /etc/pound.cfg ListenHTTPS Address 0.0.0.0 Port 443 Cert "/opt/StartmySSL_2015/StartmySSL_07_2015.pem" # DisableSSLv2 does not work with 2.8 # #DisableProto SSLv3 this woul be nice (but not yet implemented) SSLAllowClientRenegotiation 0 SSLHonorCipherOrder 1 Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" Hope that this could help som of the audience! Ralph
