You probably want to do something more like:

Ciphers “HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL”

 

But that should pretty much do it.

 

Maybe try the tester at https://www.ssllabs.com/ssldb/index.html  and see what it says about your sslv2 support.


There’s an option that can be set in the pound code (SSL_OP_NO_SSLv2)…  But I’m not sure if it’s going to help or not.  If you want to try it, open config.c and replace all instances of SSL_OP_ALL with SSL_OP_ALL|SSL_OP_NO_SSLv2

 

Otherwise, you may want to try compiling openssl without sslv2 support.  (http://adamyoung.net/Disable-SSLv2-System-Wide)   I believe ubuntu does this as part of their distro.  (which is making it harder for me to test, because my libraries don’t support sslv2 anyway)

 

Let me know what you find!

 

Joe

 

From: Robert Hicks [mailto:rob@hixfamily.org]
Sent: Monday, November 28, 2011 11:57 AM
To: pound@apsis.ch
Subject: [Pound Mailing List] Disabling SSLv2

 

All, 

 

I'm new the list but have been using Pound for several years.

 

I'm trying to get Pound to pass PCI/DSS. 

 

My scanning vendor is failing it, indicating that SSLv2 is enabled. My Ciphers parameter in pound.cfg is as follows:

 

ListenHTTPS

    Address 0.0.0.0

    Port    443

        Cert    "/etc/contractpal.net.pem"

        Err414  "/etc/pound_414.html"

        Err500  "/etc/pound_500.html"

        Err501  "/etc/pound_501.html"

        Err503  "/etc/pound_503.html"

        Ciphers "-ALL +SSLv3 +TLSv1"

 

When I run a test to see if Pound is accepting SSLv2 connections, I get the following:

 

New, SSLv2, Cipher is DES-CBC3-MD5

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : SSLv2

 

What do I need to do to disable SSLv2?

 

Rob