I'm using 3.10.1 with that cipher string and I use ssllabs to test. It
clearly shows that SSLv3 is disabled and the result is A-. I checked the
pound config file and it has the DisableSSLv3 option set just above the
cipher string. I can't remember putting that there myself
(/usr/local/zenloadbalancer/config/YourFarm_pound.cfg). I did quite some
testing so it is possible it was a manual change but not that I can
remember.
If you really need higher scores another thing you can do is setup a
clean minimal CentOS, from epel install pound and copy over the config
from zen to CentOS. Things to keep in mind: different file location
(/etc/pound.cfg), need to open firewall, need to setup failover, that
ssl3 option changed in the latest release so now put "Disable SSLv2" and
"Disable SSLv3". That way I got it to A, also allowing forward secrecy
so you get iOS support, with this string: AES256+EECDH:AES256+EDH:!NULL.
You can probably get to A+ is you have lots of time to spare to tweak it
to the max.
On 26/10/2016 13:17, David Byrne wrote:
Hi Jurgen,
I’m intrigued to know how? I can’t use public SSL testers due to the
staging environment not being public facing. However I am testing with
a direct openssl connection, and using your cipher string, I am able
to establish handshake on SSLv3, TLSv1, 1.1 and 1.2. So I can’t
imagine any reputable SSL tester would grade an SSL endpoint an A-
whilst still offering SSLv3 and TLSv1 connections?
Best Regards,
*Dave **Byrne
*Head of Technical Projects
Office: 01622 524 200
The Maidstone Studios | Vinters Business Park | New Cut Road |
Maidstone | Kent | ME14 5NZ
<https://www.vooservers.com/>
<https://www.facebook.com/VooServers>
<https://twitter.com/vooservers>
<https://uk.linkedin.com/pub/dave-byrne/79/2aa/983>
------------------------------------------------------------------------
This communication and any attachments contain information which is
confidential and may also be privileged. It is for the exclusive use
of the intended recipient(s). If you are not the intended recipient(s)
please note that any form of disclosure, distribution, copying or use
of this communication or the information in it or in any attachments
is strictly prohibited and may be unlawful. If you have received this
communication in error, please return it with the title 'received in
error' to david.by...@vooservers.com then delete the email and destroy
any copies of it. Email communications cannot be guaranteed to be
secure or error free, as information could be intercepted, corrupted,
amended, lost, destroyed, arrive late or incomplete, or contain
viruses. We do not accept liability for any such matters or their
consequences. Anyone who communicates with us by email is taken to
accept the risks in doing so. Opinions, conclusions and other
information in this email and any attachments which do not relate
to VooServers are neither given nor endorsed by it.
*From:*Jurgen Schepers [mailto:jurgen.schep...@chapoo.com]
*Sent:* 26 October 2016 11:19
*To:* zenloadbalancer-support@lists.sourceforge.net
*Subject:* Re: [Zenloadbalancer-support] Cipher String to Drop SSLv3
Protocol in ZLB 3.10
Using the latest community zen without package updates I can get to A-
with this simple cipher string:
DEFAULT:!EDH:!RC4
Jurgen.
On 26/10/2016 11:50, Koen Gysemans wrote:
Hello David,
I found
http://sysadminosaurus.blogspot.be/2014/07/zen-load-balancer-303-perfomance-and_9.html
a usefull article to upgrade and get SSL rating up.
However I didn't get passed B rating.
Kind regards,
Koen Gysemans
2016-10-26 11:26 GMT+02:00 David Byrne <david.by...@vooservers.com
<mailto:david.by...@vooservers.com>>:
Hi all,
I’m trying to drop support for outdated ciphers/protocols
within ZLB3.10. Client was previously running 3.04, however
this ran OpenSSL 0.98, so did not support anything greater
than TLSv1 (which I also want to drop support for.
I have created 2 new LB’s running ZLB3.10, as you know these
are a Debian Jessie base Kernel (3.16), and run OpenSSL 1.0.1k
(and support up to TLSv1.2, which is good).
For various reasons, we need to offload the SSL at the LB, so
we need to run HTTP farms, as opposed to just using L4xNAT
farms and terminating the SSL Cert at the LB. Within the HTTP
farms, I have tried the following Cipher Strings to drop SSLv3
and TLSv1 support:
-*ALL:!MD5:!ADH:RC4+RSA:+HIGH:+EXP:+eNULL:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW*
-*ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW*
-*ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1*
-*And various other combinations of things to try and remove
SSLv3 support.*
I’ve somehow managed to get it to refuse to handshake on TLSv1
and 1.1, which is fine I guess. I was only trying to remove
support for TLSv1, but that’s fine. My main issue is SSLv3
won’t go away… No matter what I try. If I force an SSLv3
connection from a neighbouring host in the test environment, I
get the following:
*[root@testvm]# openssl –s_client –connect 10.10.xx.xx:443 –ssl3*
*14067300137923:error:140A90C4:SSL routines:SSL_CTX_new:null
ssl method passed:ssl_lib.c:1878*
*[root@testvm]# *
(Internal IP redacted for security, but it’s the virtual IP
that the HTTP(s) farm is bound to on the LB)
Is the above saying it handshaked on SSLv3? Other places on
the internet suggest I should get an outright handshake error
(like I do with TLSv1 for example), example of a refused TLSv1
handshake below, interestingly, the TLSAv1 handshake failure
does state it tried to use SSLv3 routines, but failed (this
sounds good?):
*[root@testvm]# openssl –s_client –connect 10.10.xx.xx:443 –tls1*
*14006743093982:error:1409E0E5:@SSL
routines:ssl3_read_bytes:sslv3 alert handshake
failure:s3_pkt.c:1472:SSL alert number 40*
*---*
*No peer certificate available*
*---*
*[snip]*
*[root@testvm]#*
Any advice appreciated. Thanks.
Best Regards,
*Dave Byrne**
*Head of Technical Projects
Office: 01622 524 200
The Maidstone Studios |Vinters Business Park | New Cut Road|
Maidstone | Kent | ME14 5NZ
<https://www.vooservers.com/>
<https://www.facebook.com/VooServers>
<https://twitter.com/vooservers>
<https://uk.linkedin.com/pub/dave-byrne/79/2aa/983>
------------------------------------------------------------------------
This communication and any attachments contain information
which is confidential and may also be privileged. It is for
the exclusive use of the intended recipient(s). If you are not
the intended recipient(s) please note that any form of
disclosure, distribution, copying or use of this communication
or the information in it or in any attachments is strictly
prohibited and may be unlawful. If you have received this
communication in error, please return it with the title
'received in error' to david.by...@vooservers.com
<mailto:david.by...@vooservers.com> then delete the email and
destroy any copies of it. Email communications cannot be
guaranteed to be secure or error free, as information could be
intercepted, corrupted, amended, lost, destroyed, arrive late
or incomplete, or contain viruses. We do not accept liability
for any such matters or their consequences. Anyone who
communicates with us by email is taken to accept the risks in
doing so. Opinions, conclusions and other information in this
email and any attachments which do not relate to VooServers
are neither given nor endorsed by it.
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET <http://ASP.NET> CLI. Get your
free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
