Re: [Zenloadbalancer-support] Unable to pass SSL Grade 'F' in SSL Offload HTTP(S) Farm

Tue, 25 Oct 2016 13:17:28 -0700 

Hi Emilio/James,

After looking into it more, yes, openssl is indeed too old. ZenLB 3.10 runs on 
Debian Jesse, and uses OpenSSL 1.0.1k, hence supports TLS1.2

I am rolling out 2 new LB’s for this client in staging right now. But I’m 
struggling to disable SSLv3. No matter what I enter into custom ciphers, 
whatever way I try and disable SSLv3, it ALWAYS handshakes on SSLv3 if I tell 
my test Ubuntu system to force/try sslv3.

TLSv1 I’ve got disabled now, and 1.1 too, so TLSv1.2 is the only TLS method 
available. But I cant get rid of SSLv3!! Any ideas?

Best Regards,
Dave Byrne
Head of Technical Projects

Office: 01622 524 200
The Maidstone Studios | Vinters Business Park | New Cut Road | Maidstone | Kent 
| ME14 5NZ
[cid:footer-vooservers-logo1_cc5b3fb4-0b1e-4a12-93d1-a43930beaf7b1111.png]<https://www.vooservers.com/><http://www.vooservers.com/>

[cid:Facebook_852ddf9e-9b06-4814-a8b0-a19e21ee2d171111.png]<https://www.facebook.com/VooServers><https://www.facebook.com/VooServers>


<https://twitter.com/VooServers>[cid:Twitter_ddf228e6-fcbd-4b2c-97f3-1390530466e01111.png]<https://twitter.com/vooservers><https://twitter.com/VooServers>


[cid:LinkedIn_0349813b-c761-4b32-8ca3-c3b8e2650e5c1111.png]<https://uk.linkedin.com/pub/dave-byrne/79/2aa/983><https://www.linkedin.com/company/vooservers>


________________________________
This communication and any attachments contain information which is 
confidential and may also be privileged. It is for the exclusive use of the 
intended recipient(s). If you are not the intended recipient(s) please note 
that any form of disclosure, distribution, copying or use of this communication 
or the information in it or in any attachments is strictly prohibited and may 
be unlawful. If you have received this communication in error, please return it 
with the title 'received in error' to david.by...@vooservers.com then delete 
the email and destroy any copies of it. Email communications cannot be 
guaranteed to be secure or error free, as information could be intercepted, 
corrupted, amended, lost, destroyed, arrive late or incomplete, or contain 
viruses. We do not accept liability for any such matters or their consequences. 
Anyone who communicates with us by email is taken to accept the risks in doing 
so. Opinions, conclusions and other information in this email and any 
attachments which do not relate to VooServers are neither given nor endorsed by 
it.

From: Emilio Campos [mailto:emilio.campos.mar...@gmail.com]
Sent: 25 October 2016 16:56
To: zenloadbalancer-support@lists.sourceforge.net
Subject: Re: [Zenloadbalancer-support] Unable to pass SSL Grade 'F' in SSL 
Offload HTTP(S) Farm

Dear James, yes openssl seems too old, try with next zen version, it includes a 
recent openssl version.

Take in mind that SSL security is changing along time and vulnerabilities are 
detected so openssl and pound should be updated from package repo if you are 
working with Community Edition.

Regards!



2016-10-25 17:08 GMT+02:00 James Doherty 
<j...@jdoherty.net<mailto:j...@jdoherty.net>>:
Dave,

Did anyone ever answer this question ?

Jim

James M Doherty
President
REVIVE CONSULTING LLC
EMAIL: j...@jdoherty.net<mailto:j...@jdoherty.net>
PHONE: 512-650-2997
FAX:       512-717-7526
Author: Bought With A 
Price<http://bookstore.westbowpress.com/Products/SKU-000731960/Bought-with-a-Price.aspx>
             "Things My Dad Taught Me"
Patents Held (40):
 http://patent.ipexl.com/inventor/James_M_Doherty_1.html


On Thu, Oct 20, 2016 at 11:41 AM, David Byrne 
<david.by...@vooservers.com<mailto:david.by...@vooservers.com>> wrote:
Hi,
We have a client who needed to be able see requests ‘real ip’ before SSL 
termination on back end servers. So our solution was to terminate SSL on ZLB in 
an HTTP(S) farm. This worked fine, but now SSL Analysis Tests grade the 
SSL/Site as grade F due to a number of weaknesses:
-Supports SSLv3
-Supports TLSv1
-Does not support TLSv1.1/1.2
-Diffie-Hellman Parameter Weak – Only 1024bits

No matter what we change our Cipher/Protocol string to in custom security in 
the Farm, it does not change. It refuses to support TLS above 1.0, and this is 
a major issue for the client.

I believe this is due to ZLB (v3.05) running OpenSSL v0.98.

Please can you advise on whether there is an accepted fix for this? I guess 
update openssl, but that does seem risky on a packaged system such as ZLB. 
Thanks.

Best Regards,
Dave Byrne
Head of Technical Projects

Office: 01622 524 200
The Maidstone Studios | Vinters Business Park | New Cut Road | Maidstone | Kent 
| ME14 5NZ
[cid:image001.png@01D22F04.CFE917A0]<https://www.vooservers.com/>


[cid:image002.png@01D22F04.CFE917A0]<https://www.facebook.com/VooServers>


[cid:image003.png@01D22F04.CFE917A0]<https://twitter.com/vooservers>


[cid:image004.png@01D22F04.CFE917A0]<https://uk.linkedin.com/pub/dave-byrne/79/2aa/983>


________________________________
This communication and any attachments contain information which is 
confidential and may also be privileged. It is for the exclusive use of the 
intended recipient(s). If you are not the intended recipient(s) please note 
that any form of disclosure, distribution, copying or use of this communication 
or the information in it or in any attachments is strictly prohibited and may 
be unlawful. If you have received this communication in error, please return it 
with the title 'received in error' to 
david.by...@vooservers.com<mailto:david.by...@vooservers.com> then delete the 
email and destroy any copies of it. Email communications cannot be guaranteed 
to be secure or error free, as information could be intercepted, corrupted, 
amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do 
not accept liability for any such matters or their consequences. Anyone who 
communicates with us by email is taken to accept the risks in doing so. 
Opinions, conclusions and other information in this email and any attachments 
which do not relate to VooServers are neither given nor endorsed by it.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support



--
Load balancer distribution - Open Source Project
http://www.zenloadbalancer.com
Distribution list (subscribe): 
zenloadbalancer-support@lists.sourceforge.net<mailto:zenloadbalancer-support@lists.sourceforge.net>

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support

Reply via email to