Hmmm, Debian should update their packages. Zen 3.10.1 comes with Pound
2.6-6. According to their announcements EC support was added to Pound
2.7e in 2014:
http://www.apsis.ch/pound/pound_list/archive/2014/2014-12/1418046442000/index_html
Jurgen.
On 11/07/2016 23:35, Emilio Campos wrote:
Just to inform you, the pound version in zen 3.10.1 is the stable
version defined by debian jessie.
Regards
Sent from mobile
El 8 jul. 2016 11:54 a. m., "Jurgen Schepers"
<jurgen.schep...@chapoo.com <mailto:jurgen.schep...@chapoo.com>> escribió:
I just tried this on a freshly installed 3.10.1 and with the
cipher list you mention I get B in SSLlabs and no support for ATS.
The highest I can get is A-, also without ATS support, using this
simple cipher list:
DEFAULT:!EDH:!RC4
As I understand it the Pound server is too old to support all the
ciphers of type EC. So it won't be possible to get ATS working
with Zen 3.10.1.
Jurgen.
On 30/06/2016 8:35, Emilio Campos wrote:
Dear Scott could you let us know the Zen version are you working
with? 3.10.1 recommended, 3.7 or preview version is not supported.
Community Edition is totally integrated with the Debian distro ,
so you could update openssl with the tools for updating packages:
apt-get update
apt-get install openssl
On the other hand what kind of issue do you detect? Ciphers in
Zen is based in Openssl so any cipher list has to work in the LB
side, but others vendor as Apple can support a different Cipher
list, do you know the supported list? maybe some ciphers are not
supported by Apple but Zen support them.
BTW, you can use DEFAULT cipher list for, this is a reserved
list of ciphers in openssl.
Also this cipher list is supported in 3.10.1 and gives A+ in SSLlabs.
kEECDH+ECDSA+AES128:kEECDH+ECDSA+AES256:kEECDH+AES128:kEECDH+AES256:kEDH+AES128:kEDH+AES256:DES-CBC3-SHA:+SHA:!aNULL:!eNULL:!LOW:!kECDH:!DSS:!MD5:!EXP:!PSK:!SRP:!CAMELLIA:!SEED
Scott If you are talking about offering another alternative to
the customer remember Zen offers an Enterprise Line solution.
Regards!
2016-06-30 7:11 GMT+02:00 Scott Berry <sc...@boompayments.com
<mailto:sc...@boompayments.com>>:
Hi All,
I recall testing this project a LONG time ago when it was in
alpha/beta. It has come a long way and I now have a case to
use Zen but am running in to an issue. No matter what I have
tried we are having an issue with iOS9 and the new ATS
requirement. In essence I can not find a set of ciphers (or
any setting) that will allow iOS 9 to connect through Zen
when I am offloading SSL. The certs meet all the
requirements, they worked for this purpose on AWS ELB and
directly on nginx so we know they are good. I have tried at
least a dozen cipher combinations. No matter what when I test
with the SSL labs test it always fails. I only saw a brief
discussion about weak ciphers related to Zen on this list or
somewhere. It had some mentions about changes to openssl
through SSH but not enough information to go on.
Current cipher
list: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
I also tested this set, which is what cloud flare recommended
and gives us an A- using Zen on SSLLabs testing:
EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Either way I am looking to see if there is some info or
solution out there for this. I’d rather keep Zen and even
push the client towards a paid option if it works out.
Otherwise I guess I have to go back to HAProxy which I’d
rather not.
Thanks!
*- - - - -*
*Scott Berry*
Lead Developer | Boom! Payments
m: 1.661.478.7144
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
