Hi, with Screenshots:
1) Update / Upgrade Zen Load Balancer Debain http://www.evernote.com/l/AE_SCs54ZuZLsJHycnelLVQXn9NXnqxfytM/ 2) Pound and SSL update for Zen Load Balancer http://www.evernote.com/l/AE_JidoA6lxKGIpzq1Empo_z9SJWT_BqyMo/ 3) Change Ciphers for SSL in Zen Loadbalancer http://www.evernote.com/l/AE9crg9agTJFT4p5gGLcNJrFD5mzzLtNyyE/ SSL Grade A+ :) Regards Alex Von: Gruber Alexander [mailto:alexander.gru...@az-druck.de] Gesendet: Mittwoch, 17. Juni 2015 22:56 An: <zenloadbalancer-support@lists.sourceforge.net> Betreff: Re: [Zenloadbalancer-support] ZEN poodle disable yes, works perfekt. The additional config would not be override. The Gui is not fast, but the speed is OK. Am 17.06.2015 um 21:28 schrieb Mathieu Chateau <mathieu.chat...@lotp.fr<mailto:mathieu.chat...@lotp.fr>>: Hello, that's a great tutorial :) Does the web interface of zen still works correctly after that ? (not overriding /removing SSLHonorCipherOrder & SSLAllowClientRenegotiation for example) ? Is zen web interface really slow also ? I have this issue since updating some components Cordialement, Mathieu CHATEAU http://www.lotp.fr 2015-06-17 20:58 GMT+02:00 Gruber Alexander <alexander.gru...@az-druck.de<mailto:alexander.gru...@az-druck.de>>: Hi, a quick howto for pund and openssl upgrade. First Upgrade to debian wheezy http://sysadminosaurus.blogspot.de/2014/07/zen-load-balancer-303-perfomance-and.html Install tools apt-get install build-essential devscripts m4 quilt debhelper zlib1g-dev bc gcc++ cmake [cid:] Hoard for Pound apt-get install libpcrecpp0 libpcre3-dev libpcre3 libpcre++0 libpcre++-dev libtcmalloc-minimal4 libgoogle-perftools4 libgoogle-perftools-dev [cid:] mkdir hoard cd hoard/ [cid:] wget https://github.com/emeryberger/Hoard/releases/download/3.10/Hoard-3.10-source.tar.gz [cid:] gunzip Hoard-3.10-source.tar.gz tar -xf Hoard-3.10-source.tar cd Hoard/src [cid:] make linux-gcc-x86 [cid:] cp libhoard.so /usr/lib/. [cid:] load hoard lib export LD_PRELOAD=/usr/lib/libhoard.so [cid:] add the next line to /etc/profile export LD_PRELOAD=/usr/lib/libhoard.so [cid:] ldd /bin/ls [cid:] upgrade SSL cd ~ mkdir openssl cd openssl [cid:] apt-get source openssl [cid:] cd openssl-* [cid:] quilt pop -a [cid:] disable unsecure chipers, SSLv2 and SSLv3 vi debian/rules CONFARGS = -no-comp --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 #Include no-ssl3 for even better security. [cid:] quilt push -a [cid:] dpkg-source --commit [cid:] debuild -uc -us [cid:] cd .. [cid:] dpkg -i *ssl*.deb [cid:] apt-mark hold libssl-dev libssl-doc libssl openssl libssl1.0.0 libssl1.0.0-dbg [cid:] reboot [cid:] Pound upgrade mkdir pound cd pound [cid:] wget https://fossies.org/linux/www/Pound-2.7.tgz [cid:] tar -xf Pound-2.7.tgz [cid:] cd Pound-2.7 [cid:] ./configure [cid:] make [cid:] cp pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 cp poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 cp /usr/local/zenloadbalancer/app/pound/sbin/pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.5 cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.5 cp /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 /usr/local/zenloadbalancer/app/pound/sbin/pound cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 /usr/local/zenloadbalancer/app/pound/sbin/poundctl cd ~ [cid:] Edit Farms [cid:] ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA Intermediate Ciphers von https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility<https://wiki.mozilla.org/Security/Server_Side_TLS%23Modern_compatibility> [cid:] edit Pound configuration (/usr/local/zenloadbalancer/config/<FARM>_pound.cfg) add the folow lines: SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 [cid:] [cid:] Regards Alex Am 17.06.2015 um 13:54 schrieb Mathieu Chateau <mathieu.chat...@lotp.fr<mailto:mathieu.chat...@lotp.fr>>: Poodle is officially fixed only in enterprise edition But I am using community edition and could go around it. After changing cipher did you his the restart button that appeared? Cipher I sent you do not allow any SSLv3 while it's still technically enabled Cordialement, Mathieu CHATEAU http://www.lotp.fr 2015-06-17 13:43 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com<mailto:emrah.dal...@hititcs.com>>: I checked iso and it is 3.0 How could I check version via GUI or CLI? From: Mathieu Chateau [mailto:mathieu.chat...@lotp.fr<mailto:mathieu.chat...@lotp.fr>] Sent: Wednesday, June 17, 2015 2:29 PM To: zenloadbalancer-support Subject: Re: [Zenloadbalancer-support] ZEN poodle disable Do you have version 3.0.5 for Zen ? Cordialement, Mathieu CHATEAU http://www.lotp.fr 2015-06-17 13:21 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com<mailto:emrah.dal...@hititcs.com>>: Hello, I am testing on same page and result is below: This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. Regards. From: Mathieu Chateau [mailto:mathieu.chat...@lotp.fr<mailto:mathieu.chat...@lotp.fr>] Sent: Wednesday, June 17, 2015 2:13 PM To: zenloadbalancer-support Subject: Re: [Zenloadbalancer-support] ZEN poodle disable Hello, what is your zen version ? 3.0.5 ? Please test your ssl security from here (if exposed on internet): https://www.ssllabs.com/ssltest/index.html No way to get an "A" on Qualys, but my web site site is not poodle friendly: POODLE (SSLv3) No, SSL 3 not supported (more info<https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack>) POODLE (TLS) No (more info<https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls>) Cordialement, Mathieu CHATEAU http://www.lotp.fr 2015-06-17 12:49 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com<mailto:emrah.dal...@hititcs.com>>: Hello Mathieu, I used your cipher but result is still vulnerable for poodle. Best Regards. From: Mathieu Chateau [mailto:mathieu.chat...@lotp.fr<mailto:mathieu.chat...@lotp.fr>] Sent: Wednesday, June 17, 2015 12:13 PM To: zenloadbalancer-support Subject: Re: [Zenloadbalancer-support] ZEN poodle disable Hello, to disable ssl v3 and get the highest security, set this custom cipher ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM TLS v1.2 is not available as it's linked to openssl and we are stuck with old one. Cordialement, Mathieu CHATEAU http://www.lotp.fr 2015-06-17 10:43 GMT+02:00 Emrah DALGIÇ <emrah.dal...@hititcs.com<mailto:emrah.dal...@hititcs.com>>: Dear All, I want to disable SSLv3 and use TLSv1 and TLSv1.2. Could you please inform me correct ciphers for https farm. Best Regards. Emrah Dalgıç Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained in this communication may contain confidential or legally privileged information. Hitit Computer Services doesn't accept any legal responsibility for the contents and attachments of this message. If you are not the intended recipient you are hereby notified that any disclosure, use, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify the sender immediately by responding to this e-mail and then delete it from your system. The sender does not accept any liability for any errors or omissions or any viruses in the context of this message which arise as a result of internet transmission. Thank you. ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained in this communication may contain confidential or legally privileged information. Hitit Computer Services doesn't accept any legal responsibility for the contents and attachments of this message. If you are not the intended recipient you are hereby notified that any disclosure, use, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify the sender immediately by responding to this e-mail and then delete it from your system. The sender does not accept any liability for any errors or omissions or any viruses in the context of this message which arise as a result of internet transmission. Thank you. ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained in this communication may contain confidential or legally privileged information. Hitit Computer Services doesn't accept any legal responsibility for the contents and attachments of this message. If you are not the intended recipient you are hereby notified that any disclosure, use, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify the sender immediately by responding to this e-mail and then delete it from your system. The sender does not accept any liability for any errors or omissions or any viruses in the context of this message which arise as a result of internet transmission. Thank you. ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support Kisiye ozel bu mesaj ve icerigindeki bilgiler gizlidir. Hitit Bilgisayar Hizmetleri bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir sorumluluk kabul etmez. Yetkili alicilardan biri degilseniz, bu mesajin herhangi bir sekilde ifsa edilmesi, kullanilmasi, kopyalanmasi, yayilmasi veya mesajda yeralan hususlarla ilgili olarak herhangi bir islem yapilmasinin kesinlikle yasak oldugunu bildiririz. Boyle bir durumda lutfen hemen mesajin gondericisini bilgilendiriniz ve mesaji sisteminizden siliniz. Internet ortaminda gonderilen e-posta mesajlarindaki hata ve/veya eksikliklerden veya viruslerden dolayi mesajin gondericisi herhangi bir sorumluluk kabul etmemektedir. Tesekkur ederiz. The information contained in this communication may contain confidential or legally privileged information. Hitit Computer Services doesn't accept any legal responsibility for the contents and attachments of this message. If you are not the intended recipient you are hereby notified that any disclosure, use, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify the sender immediately by responding to this e-mail and then delete it from your system. The sender does not accept any liability for any errors or omissions or any viruses in the context of this message which arise as a result of internet transmission. Thank you. ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support ------------------------------------------------------------------------------ _______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
------------------------------------------------------------------------------
_______________________________________________ Zenloadbalancer-support mailing list Zenloadbalancer-support@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
