/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-11 / Restricting SSL Protocol

[ << ] [ >> ]

[ Re: [Pound Mailing List] Pound SSL Cert questions ... ] [ Pound 2.3.2 and libhoard 3.7 - memory leak? / ... ]

Restricting SSL Protocol
mark.potter(at)academy.com		 2007-11-08 18:14:27 [ FULL ] 
I have been handed a requirement to disable SSLv2 as well as all weak 
encryption on our servers. We use Pound as a reverse SSL proxy and I have 
yet to find the directives by which this would be done. On Apache it is 
done with the SSLProtocol and SSLCipherSuite. Please advise, if at all 
possible, how this would accomplished for pound. I need to explicitly 
disallow SSLv2 and either exclude all weak/low encryption or allow only 
SSL_RSA_RC4_128_MD5, SSL_RSA_RC4_128_SHA,SSL_DHE_RSA_W. Thank you in 
advance for any and all help regarding this matter.

Best Regards,

Mark L. Potter
Systems Engineer
Academy Sports & Outdoors
Attachments:  
text.html text/html 743 Bytes
Re: [Pound Mailing List] Restricting SSL Protocol
Kenneth Burgener <kenneth(at)mail1.ttak.org>		 2007-11-08 21:26:34 [ FULL ] 
mark.potter(at)academy.com wrote:[...]

Use the Ciphers directive.  For example to allow only TLSv1 and SSLv3
you could use something like this:

ListenHTTPS
    ...
    Ciphers "TLSv1+SSLv3"


For more information see man page for pound:
 $ man pound
 ...
 Ciphers "acceptable:cipher:list"
   This is the list of ciphers that will be  accepted  by  the
   SSL connection;  it  is  a  string  in the same format as
   in OpenSSL ciphers(1) and SSL_CTX_set_cipher_list(3).


Kenneth
MailBoxer