Re: [Zenloadbalancer-support] Cipher String to Drop SSLv3 Protocol in ZLB 3.10

Thu, 27 Oct 2016 00:41:53 -0700

On the current 3.10.1 you will never get beyond A- because it lacks forward secrecy on the reference browsers. You need EECDH for that and the installed pound version does not support that.
On the latest pound you can easily fix that and go to A. To get to A+ you need to support all reference browsers, which means you have to add the optimal ciphers for the missing browsers, make sure they are at the end and HonorCipherOrder is on to make sure the newer browsers don't downgrade security. As I said, needs lots of test/tweaking. For me it is not worth the time to just to get from A to A+. 

Jurgen.


On 27/10/2016 9:16, Emilio Campos wrote:

What is the reason of A- in SSLLABS?


We have been experiencing downgrades in security level because HSTS is 
not supported by default in pound (Debian package)



As Jurgen said, /"//You can probably get to A+ is you have lots of 
time to spare to tweak it to the max.", /the issue is that if you want 
to obtain an A+ along time you have to work in order to keep this 
security Level, that is not a direct task of Load Balancing, it is 
more a complementary feature, in my point of view this should be done 
by administrator not developer, we have enabled CIphers section in 
order to help the maintenance task.



If you think some additional feature can help to make this maintenace 
task easiest please let us know.


Regards!


2016-10-26 13:47 GMT+02:00 Jurgen Schepers <jurgen.schep...@chapoo.com 
<mailto:jurgen.schep...@chapoo.com>>:


    I'm using 3.10.1 with that cipher string and I use ssllabs to
    test. It clearly shows that SSLv3 is disabled and the result is
    A-. I checked the pound config file and it has the DisableSSLv3
    option set just above the cipher string. I can't remember putting
    that there myself
    (/usr/local/zenloadbalancer/config/YourFarm_pound.cfg). I did
    quite some testing so it is possible it was a manual change but
    not that I can remember.

    If you really need higher scores another thing you can do is setup
    a clean minimal CentOS, from epel install pound and copy over the
    config from zen to CentOS. Things to keep in mind: different file
    location (/etc/pound.cfg), need to open firewall, need to setup
    failover, that ssl3 option changed in the latest release so now
    put "Disable SSLv2" and "Disable SSLv3". That way I got it to A,
    also allowing forward secrecy so you get iOS support, with this
    string: AES256+EECDH:AES256+EDH:!NULL. You can probably get to A+
    is you have lots of time to spare to tweak it to the max.


    On 26/10/2016 13:17, David Byrne wrote:


    Hi Jurgen,

    I’m intrigued to know how? I can’t use public SSL testers due to
    the staging environment not being public facing. However I am
    testing with a direct openssl connection, and using your cipher
    string, I am able to establish handshake on SSLv3, TLSv1, 1.1 and
    1.2. So I can’t imagine any reputable SSL tester would grade an
    SSL endpoint an A- whilst still offering SSLv3 and TLSv1 connections?

    Best Regards,
    *Dave **Byrne
    *Head of Technical Projects

    Office: 01622 524 200
    The Maidstone Studios | Vinters Business Park | New Cut Road |
    Maidstone | Kent | ME14 5NZ

    <https://www.vooservers.com/>         

    <https://www.facebook.com/VooServers>

        

    <https://twitter.com/vooservers>

        

    <https://uk.linkedin.com/pub/dave-byrne/79/2aa/983>

    ------------------------------------------------------------------------
    This communication and any attachments contain information which
    is confidential and may also be privileged. It is for the
    exclusive use of the intended recipient(s). If you are not the
    intended recipient(s) please note that any form of disclosure,
    distribution, copying or use of this communication or the
    information in it or in any attachments is strictly prohibited
    and may be unlawful. If you have received this communication in
    error, please return it with the title 'received in error' to
    david.by...@vooservers.com <mailto:david.by...@vooservers.com>
    then delete the email and destroy any copies of it. Email
    communications cannot be guaranteed to be secure or error free,
    as information could be intercepted, corrupted, amended, lost,
    destroyed, arrive late or incomplete, or contain viruses. We do
    not accept liability for any such matters or their consequences.
    Anyone who communicates with us by email is taken to accept the
    risks in doing so. Opinions, conclusions and other information in
    this email and any attachments which do not relate to VooServers
    are neither given nor endorsed by it.

    *From:*Jurgen Schepers [mailto:jurgen.schep...@chapoo.com
    <mailto:jurgen.schep...@chapoo.com>]
    *Sent:* 26 October 2016 11:19
    *To:* zenloadbalancer-support@lists.sourceforge.net
    <mailto:zenloadbalancer-support@lists.sourceforge.net>
    *Subject:* Re: [Zenloadbalancer-support] Cipher String to Drop
    SSLv3 Protocol in ZLB 3.10

    Using the latest community zen without package updates I can get
    to A- with this simple cipher string:

    DEFAULT:!EDH:!RC4

    Jurgen.

    On 26/10/2016 11:50, Koen Gysemans wrote:

        Hello David,

        I found
        
http://sysadminosaurus.blogspot.be/2014/07/zen-load-balancer-303-perfomance-and_9.html
        
<http://sysadminosaurus.blogspot.be/2014/07/zen-load-balancer-303-perfomance-and_9.html>
        a usefull article to upgrade and get SSL rating up.

        However I didn't get passed B rating.

        Kind regards,

        Koen Gysemans

        2016-10-26 11:26 GMT+02:00 David Byrne
        <david.by...@vooservers.com <mailto:david.by...@vooservers.com>>:

            Hi all,

            I’m trying to drop support for outdated ciphers/protocols
            within ZLB3.10. Client was previously running 3.04,
            however this ran OpenSSL 0.98, so did not support
            anything greater than TLSv1 (which I also want to drop
            support for.

            I have created 2 new LB’s running ZLB3.10, as you know
            these are a Debian Jessie base Kernel (3.16), and run
            OpenSSL 1.0.1k (and support up to TLSv1.2, which is good).

            For various reasons, we need to offload the SSL at the
            LB, so we need to run HTTP farms, as opposed to just
            using L4xNAT farms and terminating the SSL Cert at the
            LB. Within the HTTP farms, I have tried the following
            Cipher Strings to drop SSLv3 and TLSv1 support:

            
-*ALL:!MD5:!ADH:RC4+RSA:+HIGH:+EXP:+eNULL:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW*

            -*ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1:-MEDIUM:-LOW*

            -*ALL:!MD5:!ADH:+HIGH:-SSLv2:-SSLv3:-TLSv1*

            -*And various other combinations of things to try and
            remove SSLv3 support.*

            I’ve somehow managed to get it to refuse to handshake on
            TLSv1 and 1.1, which is fine I guess. I was only trying
            to remove support for TLSv1, but that’s fine. My main
            issue is SSLv3 won’t go away… No matter what I try. If I
            force an SSLv3 connection from a neighbouring host in the
            test environment, I get the following:

            *[root@testvm]# openssl –s_client –connect
            10.10.xx.xx:443 –ssl3*

            *14067300137923:error:140A90C4:SSL
            routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1878*

            *[root@testvm]# *

            (Internal IP redacted for security, but it’s the virtual
            IP that the HTTP(s) farm is bound to on the LB)

            Is the above saying it handshaked on SSLv3? Other places
            on the internet suggest I should get an outright
            handshake error (like I do with TLSv1 for example),
            example of a refused TLSv1 handshake below,
            interestingly, the TLSAv1 handshake failure does state it
            tried to use SSLv3 routines, but failed (this sounds good?):

            *[root@testvm]# openssl –s_client –connect
            10.10.xx.xx:443 –tls1*

            *14006743093982:error:1409E0E5:@SSL
            routines:ssl3_read_bytes:sslv3 alert handshake
            failure:s3_pkt.c:1472:SSL alert number 40*

            *---*

            *No peer certificate available*

            *---*

            *[snip]*

            *[root@testvm]#*

            Any advice appreciated. Thanks.

            Best Regards,
            *Dave Byrne**
            *Head of Technical Projects

            Office: 01622 524 200
            The Maidstone Studios |Vinters Business Park | New Cut
            Road| Maidstone | Kent | ME14 5NZ

            <https://www.vooservers.com/>

                

            <https://www.facebook.com/VooServers>

                

            <https://twitter.com/vooservers>

                

            <https://uk.linkedin.com/pub/dave-byrne/79/2aa/983>

            
------------------------------------------------------------------------

            This communication and any attachments contain
            information which is confidential and may also be
            privileged. It is for the exclusive use of the intended
            recipient(s). If you are not the intended recipient(s)
            please note that any form of disclosure, distribution,
            copying or use of this communication or the information
            in it or in any attachments is strictly prohibited and
            may be unlawful. If you have received this communication
            in error, please return it with the title 'received in
            error' to david.by...@vooservers.com
            <mailto:david.by...@vooservers.com> then delete the email
            and destroy any copies of it. Email communications cannot
            be guaranteed to be secure or error free, as information
            could be intercepted, corrupted, amended, lost,
            destroyed, arrive late or incomplete, or contain viruses.
            We do not accept liability for any such matters or their
            consequences. Anyone who communicates with us by email is
            taken to accept the risks in doing so. Opinions,
            conclusions and other information in this email and any
            attachments which do not relate to VooServers are neither
            given nor endorsed by it.


            
------------------------------------------------------------------------------
            The Command Line: Reinvented for Modern Developers
            Did the resurgence of CLI tooling catch you by surprise?
            Reconnect with the command line and become more productive.
            Learn the new .NET and ASP.NET <http://ASP.NET> CLI. Get
            your free copy!
            http://sdm.link/telerik
            _______________________________________________
            Zenloadbalancer-support mailing list
            Zenloadbalancer-support@lists.sourceforge.net
            <mailto:Zenloadbalancer-support@lists.sourceforge.net>
            https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
            
<https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support>


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support






















					Reply via email to