Just wanted to follow up on my post yesterday and share my POODLE fix with anyone interested.
You will have to ensure your LB has gcc and the openssl headers installed -- use apt-get install ... Also, you will need to stop zenloadbalancer and the minihttpd process before replacing the files. ----------- wget http://acme.com/software/mini_httpd/mini_httpd-1.20.tar.gz tar zxf mini_httpd-1.20.tar.gz cd mini_httpd-1.20 --uncomment SSL lines in Makefile and set as shown below SSL_TREE = /usr SSL_DEFS = -DUSE_SSL SSL_INC = -I$(SSL_TREE)/include SSL_LIBS = -L$(SSL_TREE)/lib -lssl -lcrypto --file: mini_httpd.c (line 554) add: SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); /* 548 #ifdef USE_SSL 549 if ( do_ssl ) 550 { 551 SSL_load_error_strings(); 552 SSLeay_add_ssl_algorithms(); 553 ssl_ctx = SSL_CTX_new( SSLv23_server_method() ); 554 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); 555 if ( certfile[0] != '\0' ) 556 if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM ) == 0 || 557 SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile, SSL_FILETYPE_PEM ) == 0 || 558 SSL_CTX_check_private_key( ssl_ctx ) == 0 ) 559 { 560 ERR_print_errors_fp( stderr ); 561 exit( 1 ); 562 } */ make -- backup and replace zen files cp -r /usr/local/zenloadbalancer/app/mini_httpd/mini_httpd /usr/local/zenloadbalancer/app/mini_httpd/mini_httpd.default cp -r /usr/local/zenloadbalancer/app/mini_httpd/htpasswd /usr/local/zenloadbalancer/app/mini_httpd/htpasswd.default cp mini_httpd /usr/local/zenloadbalancer/app/mini_httpd/ cp htpasswd /usr/local/zenloadbalancer/app/mini_httpd/ wget http://www.apsis.ch/pound/Pound-2.6.tgz tar zxf Pound-2.6.tgz cd Pound-2.6 --file: config.c change: SSL_OP_ALL to SSL_OP_NO_SSLv3 perl -pi.bak -e 's/SSL_OP_ALL/SSL_OP_NO_SSLv3/g' config.c ./configure --with-ssl=/usr \ --prefix=/usr/local/zenloadbalancer/app/pound --sysconfdir=/usr/local/zenloadbalancer/config make -- backup and replace zen files cp -r /usr/local/zenloadbalancer/app/pound/sbin/pound /usr/local/zenloadbalancer/app/pound/sbin/pound.default cp -r /usr/local/zenloadbalancer/app/pound/sbin/poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl.default cp pound /usr/local/zenloadbalancer/app/pound/sbin/ cp poundctl /usr/local/zenloadbalancer/app/pound/sbin/ -Jeff On 10/17/2014 12:28 PM, Jeffrey Ramsay wrote: > All: > > What is the correct syntax to address the POODLE exploit? > > -- @global.conf > #Cipher PCI > $cipher_pci="TLSv1+SSLv3+HIGH:-MEDIUM:-LOW*:-ADH*"; > > Is it: > > $cipher_pci="TLSv1+HIGH:-MEDIUM:-LOW*:-ADH*"; > > Also, will a change to the "global.conf" file address all SSL farms? > > Thanks, > -Jeff > -- Jeffrey Ramsay Assistant Director Enterprise Software Infrastructure and Technical Planning Binghamton University http://www.binghamton.edu ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
