You probably want to do something more like:
But that should pretty much do it.
Maybe try the tester at https://www.ssllabs.com/ssldb/index.html and see what it says about your sslv2 support.
There’s an option that can be set in the pound code (SSL_OP_NO_SSLv2)… But I’m not sure if it’s going to help or not. If you want to try it, open config.c and replace all instances of SSL_OP_ALL with SSL_OP_ALL|SSL_OP_NO_SSLv2
Otherwise, you may want to try compiling openssl without sslv2 support. (http://adamyoung.net/Disable-SSLv2-System-Wide) I believe ubuntu does this as part of their distro. (which is making it harder for me to test, because my libraries don’t support sslv2 anyway)
Let me know what you find!
From: Robert Hicks [mailto:firstname.lastname@example.org]
Sent: Monday, November 28, 2011 11:57 AM
Subject: [Pound Mailing List] Disabling SSLv2
I'm new the list but have been using Pound for several years.
I'm trying to get Pound to pass PCI/DSS.
My scanning vendor is failing it, indicating that SSLv2 is enabled. My Ciphers parameter in pound.cfg is as follows:
Ciphers "-ALL +SSLv3 +TLSv1"
When I run a test to see if Pound is accepting SSLv2 connections, I get the following:
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
What do I need to do to disable SSLv2?