Am 08.03.16 um 17:08 schrieb Joe Gooch: > Based on the cipher string you've provided, I see the ciphers you're looking > for in openssl ciphers -v output. > > Have you selected a ECDH Curve? Do you see any ECDH ciphers in the list? > > Also review > http://www.apsis.ch/pound/pound_list/archive/2014/2014-10/1414097953000 > > > Specifically you need (globally) > ECDHCurve prime256v1
This doesn't work: /usr/local/etc/pound.cfg line 1: unknown directive - aborted > And in your listeners: > Disable SSLv3 > SSLAllowClientRenegotiation 0 > SSLHonorCipherOrder 1 > > Ciphers > "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:-3DES:!MD5:!EXP:!PSK:!SRP:!DSS:3DES" > > > (or your ciphers line, whichever) SSLv3 is no longer the problem. I'm required by a client to add these ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Shouldn't be that easy by just adding them somehow to the Ciphers directive parameter? > Ensure that DH_LEN=2048 in your makefile It is set. I hadn't considered the build logs of our build server, but DH_LEN=2048 is taken. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
