Hi all,
I'm trying to drop support for outdated ciphers/protocols within ZLB3.10.
Client was previously running 3.04, however this ran OpenSSL 0.98, so did not
support anything greater than TLSv1 (which I also want to drop support for.
I have created 2 new LB's running ZLB3.10, as you know these are a Debian
Jessie base Kernel (3.16), and run OpenSSL 1.0.1k (and support up to TLSv1.2,
which is good).
For various reasons, we need to offload the SSL at the LB, so we need to run
HTTP farms, as opposed to just using L4xNAT farms and terminating the SSL Cert
at the LB. Within the HTTP farms, I have tried the following Cipher Strings to
drop SSLv3 and TLSv1 support:
-
ALL:!MD5:!ADH:RC4+RSA:+HIGH:+EXP:+eNULL:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW
- ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW
- ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1
- And various other combinations of things to try and remove SSLv3
support.
I've somehow managed to get it to refuse to handshake on TLSv1 and 1.1, which
is fine I guess. I was only trying to remove support for TLSv1, but that's
fine. My main issue is SSLv3 won't go away... No matter what I try. If I force
an SSLv3 connection from a neighbouring host in the test environment, I get the
following:
[root@testvm]# openssl -s_client -connect 10.10.xx.xx:443 -ssl3
14067300137923:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method
passed:ssl_lib.c:1878
[root@testvm]#
(Internal IP redacted for security, but it's the virtual IP that the HTTP(s)
farm is bound to on the LB)
Is the above saying it handshaked on SSLv3? Other places on the internet
suggest I should get an outright handshake error (like I do with TLSv1 for
example), example of a refused TLSv1 handshake below, interestingly, the TLSAv1
handshake failure does state it tried to use SSLv3 routines, but failed (this
sounds good?):
[root@testvm]# openssl -s_client -connect 10.10.xx.xx:443 -tls1
14006743093982:error:1409E0E5:@SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1472:SSL alert number 40
---
No peer certificate available
---
[snip]
[root@testvm]#
Any advice appreciated. Thanks.
Best Regards,
Dave Byrne
Head of Technical Projects
Office: 01622 524 200
The Maidstone Studios | Vinters Business Park | New Cut Road | Maidstone | Kent
| ME14 5NZ
[cid:footer-vooservers-logo1_cc5b3fb4-0b1e-4a12-93d1-a43930beaf7b1111.png]<https://www.vooservers.com/><http://www.vooservers.com/>
[cid:Facebook_852ddf9e-9b06-4814-a8b0-a19e21ee2d171111.png]<https://www.facebook.com/VooServers><https://www.facebook.com/VooServers>
<https://twitter.com/VooServers>[cid:Twitter_ddf228e6-fcbd-4b2c-97f3-1390530466e01111.png]<https://twitter.com/vooservers><https://twitter.com/VooServers>
[cid:LinkedIn_0349813b-c761-4b32-8ca3-c3b8e2650e5c1111.png]<https://uk.linkedin.com/pub/dave-byrne/79/2aa/983><https://www.linkedin.com/company/vooservers>
________________________________
This communication and any attachments contain information which is
confidential and may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s) please note
that any form of disclosure, distribution, copying or use of this communication
or the information in it or in any attachments is strictly prohibited and may
be unlawful. If you have received this communication in error, please return it
with the title 'received in error' to david.by...@vooservers.com then delete
the email and destroy any copies of it. Email communications cannot be
guaranteed to be secure or error free, as information could be intercepted,
corrupted, amended, lost, destroyed, arrive late or incomplete, or contain
viruses. We do not accept liability for any such matters or their consequences.
Anyone who communicates with us by email is taken to accept the risks in doing
so. Opinions, conclusions and other information in this email and any
attachments which do not relate to VooServers are neither given nor endorsed by
it.
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
