Using the latest community zen without package updates I can get to A-
with this simple cipher string:
DEFAULT:!EDH:!RC4
Jurgen.
On 26/10/2016 11:50, Koen Gysemans wrote:
Hello David,
I found
http://sysadminosaurus.blogspot.be/2014/07/zen-load-balancer-303-perfomance-and_9.html
a usefull article to upgrade and get SSL rating up.
However I didn't get passed B rating.
Kind regards,
Koen Gysemans
2016-10-26 11:26 GMT+02:00 David Byrne <david.by...@vooservers.com
<mailto:david.by...@vooservers.com>>:
Hi all,
I’m trying to drop support for outdated ciphers/protocols within
ZLB3.10. Client was previously running 3.04, however this ran
OpenSSL 0.98, so did not support anything greater than TLSv1
(which I also want to drop support for.
I have created 2 new LB’s running ZLB3.10, as you know these are a
Debian Jessie base Kernel (3.16), and run OpenSSL 1.0.1k (and
support up to TLSv1.2, which is good).
For various reasons, we need to offload the SSL at the LB, so we
need to run HTTP farms, as opposed to just using L4xNAT farms and
terminating the SSL Cert at the LB. Within the HTTP farms, I have
tried the following Cipher Strings to drop SSLv3 and TLSv1 support:
-*ALL:!MD5:!ADH:RC4+RSA:+HIGH:+EXP:+eNULL:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW*
-*ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW*
-*ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1*
-*And various other combinations of things to try and remove SSLv3
support.*
I’ve somehow managed to get it to refuse to handshake on TLSv1 and
1.1, which is fine I guess. I was only trying to remove support
for TLSv1, but that’s fine. My main issue is SSLv3 won’t go away…
No matter what I try. If I force an SSLv3 connection from a
neighbouring host in the test environment, I get the following:
*[root@testvm]# openssl –s_client –connect 10.10.xx.xx:443 –ssl3*
*14067300137923:error:140A90C4:SSL routines:SSL_CTX_new:null ssl
method passed:ssl_lib.c:1878*
*[root@testvm]# *
(Internal IP redacted for security, but it’s the virtual IP that
the HTTP(s) farm is bound to on the LB)
Is the above saying it handshaked on SSLv3? Other places on the
internet suggest I should get an outright handshake error (like I
do with TLSv1 for example), example of a refused TLSv1 handshake
below, interestingly, the TLSAv1 handshake failure does state it
tried to use SSLv3 routines, but failed (this sounds good?):
*[root@testvm]# openssl –s_client –connect 10.10.xx.xx:443 –tls1*
*14006743093982:error:1409E0E5:@SSL routines:ssl3_read_bytes:sslv3
alert handshake failure:s3_pkt.c:1472:SSL alert number 40*
*---*
*No peer certificate available*
*---*
*[snip]*
*[root@testvm]#*
Any advice appreciated. Thanks.
Best Regards,
*Dave **Byrne
*Head of Technical Projects
Office: 01622 524 200
The Maidstone Studios | Vinters Business Park | New Cut Road |
Maidstone | Kent | ME14 5NZ
<https://www.vooservers.com/>
<https://www.facebook.com/VooServers>
<https://twitter.com/vooservers>
<https://uk.linkedin.com/pub/dave-byrne/79/2aa/983>
------------------------------------------------------------------------
This communication and any attachments contain information which
is confidential and may also be privileged. It is for the
exclusive use of the intended recipient(s). If you are not the
intended recipient(s) please note that any form of disclosure,
distribution, copying or use of this communication or the
information in it or in any attachments is strictly prohibited and
may be unlawful. If you have received this communication in error,
please return it with the title 'received in error' to
david.by...@vooservers.com <mailto:david.by...@vooservers.com>
then delete the email and destroy any copies of it. Email
communications cannot be guaranteed to be secure or error free, as
information could be intercepted, corrupted, amended, lost,
destroyed, arrive late or incomplete, or contain viruses. We do
not accept liability for any such matters or their consequences.
Anyone who communicates with us by email is taken to accept the
risks in doing so. Opinions, conclusions and other information in
this email and any attachments which do not relate to VooServers
are neither given nor endorsed by it.
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET <http://ASP.NET> CLI. Get your free
copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
<https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support>
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
