According to: ANNOUNCE: Pound – reverse proxy and load balancer – v2.7d / Robert Segall , following enhancement was added:
- added "Disable PROTO" directives (fix for Poodle vulnerability)
My system:
[root@6svprx01 ~]# uname -a
Linux 6svprx01.XXX.org 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@6svprx01 ~]# rpm -q Pound
Pound-2.6-2.el6.x86_64
[root@6svprx01 ~]# grep Ciphers /etc/pound.cfg
Ciphers "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM"
[root@6svprx01 ~]#
… to address POODLE SSLv3, I added !SSLv3
into Ciphers
.
Yet while using Qualys SSL Labs - Projects / SSL Server Test
to test, I get Protocol or cipher suite mismatch
in Handshake Simulation
.
Is there a way to address this WITHOUT upgrading to Pound v2.7d (beta) and then using new directives?
Best Answer
one can use goochjj/pound at pcidss/v2.6 branch, which is Pound 2.6, plus cipher and protocol patches necessary (initially) to pass PCI compliance, and as part of that is the directive to disable SSL3.
* UPDATE *
DisableSSLv3
appears to beunknown directive
using non-patchedVersion 2.6
, use-SSLv3:-SSLv2
inside ofCiphers
.