Hello, that's a great tutorial :)
Does the web interface of zen still works correctly after that ? (not overriding /removing SSLHonorCipherOrder & SSLAllowClientRenegotiation for example) ? Is zen web interface really slow also ? I have this issue since updating some components Cordialement, Mathieu CHATEAU http://www.lotp.fr 2015-06-17 20:58 GMT+02:00 Gruber Alexander <alexander.gru...@az-druck.de>: > Hi, > > a quick howto for pund and openssl upgrade. > > First Upgrade to debian wheezy > > http://sysadminosaurus.blogspot.de/2014/07/zen-load-balancer-303-perfomance-and.html > > > > > *Install tools* > apt-get install build-essential devscripts m4 quilt debhelper zlib1g-dev > bc gcc++ cmake > > *Hoard for Pound* > apt-get install libpcrecpp0 libpcre3-dev libpcre3 libpcre++0 > libpcre++-dev libtcmalloc-minimal4 libgoogle-perftools4 > libgoogle-perftools-dev > > mkdir hoard > cd hoard/ > > wget > https://github.com/emeryberger/Hoard/releases/download/3.10/Hoard-3.10-source.tar.gz > > gunzip Hoard-3.10-source.tar.gz > tar -xf Hoard-3.10-source.tar > cd Hoard/src > > make linux-gcc-x86 > > cp libhoard.so /usr/lib/. > > *load hoard lib* > export LD_PRELOAD=/usr/lib/libhoard.so > > add the next line to /etc/profile > export LD_PRELOAD=/usr/lib/libhoard.so > > ldd /bin/ls > > > > *upgrade SSL* > > cd ~ > mkdir openssl > cd openssl > > apt-get source openssl > > cd openssl-* > > quilt pop -a > > *disable unsecure chipers, SSLv2 and SSLv3 * > vi debian/rules > CONFARGS = -no-comp --prefix=/usr --openssldir=/usr/lib/ssl > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > enable-tlsext no-ssl2 no-ssl3 #Include no-ssl3 for even better security. > > quilt push -a > > dpkg-source --commit > > debuild -uc -us > > > cd .. > > dpkg -i *ssl*.deb > > apt-mark hold libssl-dev libssl-doc libssl openssl libssl1.0.0 > libssl1.0.0-dbg > > reboot > > > > *Pound upgrade* > mkdir pound > cd pound > > wget https://fossies.org/linux/www/Pound-2.7.tgz > > tar -xf Pound-2.7.tgz > > cd Pound-2.7 > > ./configure > > make > > cp pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 > cp poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 > cp /usr/local/zenloadbalancer/app/pound/sbin/pound > /usr/local/zenloadbalancer/app/pound/sbin/pound2.5 > cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl > /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.5 > cp /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 > /usr/local/zenloadbalancer/app/pound/sbin/pound > cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 > /usr/local/zenloadbalancer/app/pound/sbin/poundctl > cd ~ > > > > > > > > Edit Farms > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > Intermediate Ciphers von > https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility > > > > edit Pound configuration > (/usr/local/zenloadbalancer/config/<FARM>_pound.cfg) > add the folow lines: > > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > > > > > > Regards > Alex > > Am 17.06.2015 um 13:54 schrieb Mathieu Chateau <mathieu.chat...@lotp.fr>: > > Poodle is officially fixed only in enterprise edition > > But I am using community edition and could go around it. > > After changing cipher did you his the restart button that appeared? > Cipher I sent you do not allow any SSLv3 while it's still technically > enabled > > Cordialement, > Mathieu CHATEAU > http://www.lotp.fr > > 2015-06-17 13:43 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com>: > >> I checked iso and it is 3.0 >> >> >> >> How could I check version via GUI or CLI? >> >> >> >> >> >> *From:* Mathieu Chateau [mailto:mathieu.chat...@lotp.fr] >> *Sent:* Wednesday, June 17, 2015 2:29 PM >> >> *To:* zenloadbalancer-support >> *Subject:* Re: [Zenloadbalancer-support] ZEN poodle disable >> >> >> >> Do you have version 3.0.5 for Zen ? >> >> >> Cordialement, >> Mathieu CHATEAU >> http://www.lotp.fr >> >> >> >> 2015-06-17 13:21 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com>: >> >> Hello, >> >> >> >> I am testing on same page and result is below: >> >> >> >> *This server is vulnerable to the POODLE attack. If possible, disable SSL >> 3 to mitigate. Grade capped to C.* >> >> >> >> Regards. >> >> >> >> *From:* Mathieu Chateau [mailto:mathieu.chat...@lotp.fr] >> *Sent:* Wednesday, June 17, 2015 2:13 PM >> >> >> *To:* zenloadbalancer-support >> *Subject:* Re: [Zenloadbalancer-support] ZEN poodle disable >> >> >> >> Hello, >> >> >> >> what is your zen version ? 3.0.5 ? >> >> Please test your ssl security from here (if exposed on internet): >> >> https://www.ssllabs.com/ssltest/index.html >> >> >> >> No way to get an "A" on Qualys, but my web site site is not poodle >> friendly: >> >> *POODLE (SSLv3)* >> >> No, SSL 3 not supported (more info >> <https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack> >> ) >> >> *POODLE (TLS)* >> >> No (more info >> <https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls> >> ) >> >> >> >> >> Cordialement, >> Mathieu CHATEAU >> http://www.lotp.fr >> >> >> >> 2015-06-17 12:49 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com>: >> >> Hello Mathieu, >> >> >> >> I used your cipher but result is still vulnerable for poodle. >> >> >> >> Best Regards. >> >> >> >> *From:* Mathieu Chateau [mailto:mathieu.chat...@lotp.fr] >> *Sent:* Wednesday, June 17, 2015 12:13 PM >> *To:* zenloadbalancer-support >> *Subject:* Re: [Zenloadbalancer-support] ZEN poodle disable >> >> >> >> Hello, >> >> >> >> to disable ssl v3 and get the highest security, set this custom cipher >> >> ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM >> >> >> >> TLS v1.2 is not available as it's linked to openssl and we are stuck with >> old one. >> >> >> >> >> >> >> Cordialement, >> Mathieu CHATEAU >> http://www.lotp.fr >> >> >> >> 2015-06-17 10:43 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com>: >> >> Dear All, >> >> >> >> I want to disable SSLv3 and use TLSv1 and TLSv1.2. Could you please >> inform me correct ciphers for https farm. >> >> >> >> Best Regards. >> >> *Emrah Dalgıç* >> >> >> >> Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar >> Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir >> sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin >> herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi >> veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem >> yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen >> hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden >> siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya >> eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir >> sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained >> in this communication may contain confidential or legally privileged >> information. Hitit Computer Services doesn't accept any legal >> responsibility for the contents and attachments of this message. If you are >> not the intended recipient you are hereby notified that any disclosure, >> use, copying, distribution or taking any action in reliance on the contents >> of this information is strictly prohibited. If you have received this >> communication in error, please notify the sender immediately by responding >> to this e-mail and then delete it from your system. The sender does not >> accept any liability for any errors or omissions or any viruses in the >> context of this message which arise as a result of internet transmission. >> Thank you. >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Zenloadbalancer-support mailing list >> Zenloadbalancer-support@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support >> >> >> >> Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar >> Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir >> sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin >> herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi >> veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem >> yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen >> hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden >> siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya >> eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir >> sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained >> in this communication may contain confidential or legally privileged >> information. Hitit Computer Services doesn't accept any legal >> responsibility for the contents and attachments of this message. If you are >> not the intended recipient you are hereby notified that any disclosure, >> use, copying, distribution or taking any action in reliance on the contents >> of this information is strictly prohibited. If you have received this >> communication in error, please notify the sender immediately by responding >> to this e-mail and then delete it from your system. The sender does not >> accept any liability for any errors or omissions or any viruses in the >> context of this message which arise as a result of internet transmission. >> Thank you. >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Zenloadbalancer-support mailing list >> Zenloadbalancer-support@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support >> >> >> >> Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar >> Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir >> sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin >> herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi >> veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem >> yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen >> hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden >> siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya >> eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir >> sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained >> in this communication may contain confidential or legally privileged >> information. Hitit Computer Services doesn't accept any legal >> responsibility for the contents and attachments of this message. If you are >> not the intended recipient you are hereby notified that any disclosure, >> use, copying, distribution or taking any action in reliance on the contents >> of this information is strictly prohibited. If you have received this >> communication in error, please notify the sender immediately by responding >> to this e-mail and then delete it from your system. The sender does not >> accept any liability for any errors or omissions or any viruses in the >> context of this message which arise as a result of internet transmission. >> Thank you. >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Zenloadbalancer-support mailing list >> Zenloadbalancer-support@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support >> >> >> Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit >> Bilgisayar Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak >> hukuksal hicbir sorumluluk kabul etmez. Yetkili alicilardan biri >> degilseniz, bu mesajin herhangi bir sekilde ifsa edilmesi, kullanilmasi, >> kopyalanmasi, yayilmasi veya mesajda yeralan hususlarla ilgili olarak >> herhangi bir islem yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle >> bir durumda lutfen hemen mesajin gondericisini bilgilendiriniz ve mesaji >> sisteminizden siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki >> hata ve/veya eksikliklerden veya viruslerden dolayi mesajin gondericisi >> herhangi bir sorumluluk kabul etmemektedir. Tesekkur ederiz. The >> information contained in this communication may contain confidential or >> legally privileged information. Hitit Computer Services doesn't accept any >> legal responsibility for the contents and attachments of this message. If >> you are not the intended recipient you are hereby notified that any >> disclosure, use, copying, distribution or taking any action in reliance on >> the contents of this information is strictly prohibited. If you have >> received this communication in error, please notify the sender immediately >> by responding to this e-mail and then delete it from your system. The >> sender does not accept any liability for any errors or omissions or any >> viruses in the context of this message which arise as a result of internet >> transmission. Thank you. >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Zenloadbalancer-support mailing list >> Zenloadbalancer-support@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support >> >> > > ------------------------------------------------------------------------------ > > _______________________________________________ > Zenloadbalancer-support mailing list > Zenloadbalancer-support@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Zenloadbalancer-support mailing list > Zenloadbalancer-support@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support > >
------------------------------------------------------------------------------
_______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
