You probably want to do something more like:
Ciphers “HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL”

But that should pretty much do it.

Maybe try the tester at https://www.ssllabs.com/ssldb/index.html
 and see what it says about your sslv2 support.

There’s an option that can be set in the pound code (SSL_OP_NO_SSLv2)…  But I’m
not sure if it’s going to help or not.  If you want to try it, open config.c
and replace all instances of SSL_OP_ALL with SSL_OP_ALL|SSL_OP_NO_SSLv2

Otherwise, you may want to try compiling openssl without sslv2 support.  (http://adamyoung.net/Disable-SSLv2-System-Wide)
  I believe ubuntu does this as part of their distro.  (which is making it
harder for me to test, because my libraries don’t support sslv2 anyway)

Let me know what you find!

Joe

From: Robert Hicks [mailto:rob(at)hixfamily.org]
Sent: Monday, November 28, 2011 11:57 AM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Disabling SSLv2

All,

I'm new the list but have been using Pound for several years.

I'm trying to get Pound to pass PCI/DSS.

My scanning vendor is failing it, indicating that SSLv2 is enabled. My Ciphers
parameter in pound.cfg is as follows:

ListenHTTPS
    Address 0.0.0.0
    Port    443
        Cert    "/etc/contractpal.net.pem"
        Err414  "/etc/pound_414.html"
        Err500  "/etc/pound_500.html"
        Err501  "/etc/pound_501.html"
        Err503  "/etc/pound_503.html"
        Ciphers "-ALL +SSLv3 +TLSv1"

When I run a test to see if Pound is accepting SSLv2 connections, I get the
following:

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2

What do I need to do to disable SSLv2?

Rob

You can define a CheckURL directive to trap the invalid characters.  (for
instance, I don't believe < or > can appear inline in a URL, it would
have to be % escaped)

http://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid

Thus you might want to include a line such as:
CheckURL "^[!#$&-;=?-[]_a-zA-Z~]+$"

(note the regex is based on the Leif Wickland responder... You might want to
check the &-; and ?-[ ranges, for instance.  I take no responsibility for
correctness in your environment)

Given the URL you have supplied the URL would throw a 500 error based on the "
in your request and the <> characters.

Joe
[...]

Glad to hear it!
Joe

From: Robert Hicks [mailto:rob(at)hixfamily.org]
Sent: Monday, November 28, 2011 4:25 PM
To: Joe Gooch
Subject: Re: [Pound Mailing List] Disabling SSLv2

Joe,

Your Ciphers suggestion worked.

Thanks!
Rob
On Mon, Nov 28, 2011 at 11:13 AM, Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
wrote:
You probably want to do something more like:
Ciphers “HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL”

But that should pretty much do it.

Maybe try the tester at https://www.ssllabs.com/ssldb/index.html
 and see what it says about your sslv2 support.

There’s an option that can be set in the pound code (SSL_OP_NO_SSLv2)…  But I’m
not sure if it’s going to help or not.  If you want to try it, open config.c
and replace all instances of SSL_OP_ALL with SSL_OP_ALL|SSL_OP_NO_SSLv2

Otherwise, you may want to try compiling openssl without sslv2 support.  (http://adamyoung.net/Disable-SSLv2-System-Wide)
  I believe ubuntu does this as part of their distro.  (which is making it
harder for me to test, because my libraries don’t support sslv2 anyway)

Let me know what you find!

Joe

From: Robert Hicks
[mailto:rob(at)hixfamily.org<mailto:rob(at)hixfamily.org>]
Sent: Monday, November 28, 2011 11:57 AM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: [Pound Mailing List] Disabling SSLv2

All,

I'm new the list but have been using Pound for several years.

I'm trying to get Pound to pass PCI/DSS.

My scanning vendor is failing it, indicating that SSLv2 is enabled. My Ciphers
parameter in pound.cfg is as follows:

ListenHTTPS
    Address 0.0.0.0
    Port    443
        Cert    "/etc/contractpal.net.pem"
        Err414  "/etc/pound_414.html"
        Err500  "/etc/pound_500.html"
        Err501  "/etc/pound_501.html"
        Err503  "/etc/pound_503.html"
        Ciphers "-ALL +SSLv3 +TLSv1"

When I run a test to see if Pound is accepting SSLv2 connections, I get the
following:

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2

What do I need to do to disable SSLv2?

Rob

I agree this should be fixed... and your solution looks workable.  Not sure if
Robert would rather a linked list, a char *[] array, or the resizing buffer...
Regardless we should be using the rm_eo-rm_so to determine length and probably
can use realloc instead of malloc.

The cookie generation patch was posted and should work for you, but has not
been merged into mainline.

Joe

[...]

This may be more realistic... at least for most urls I've worked with. It's not
all-inclusive of every possible url pattern.

CheckURL "^[A-Za-z0-9\.\/]+(\?[A-Za-z0-9=\.&]*)?(;[A-Za-z0-9=\.&]*)?$"


Also note from looking at the code, it looks like CheckURL runs *after* URL
encoded expansion.  Which means, if your url has a %3c in it, it'll be expanded
to <, and then checked against the regex, and get rejected.  Which might not
be a problem for you.

Ultimately I think the solution is Pound needs to write the redirect page using
URL encoding for the href link, and maybe the word "here" for the link text.
(like, for instance, apache would)  If it's going to write out the link text it
should be html entity encoded.

I passed the URLs you gave into apache and it had no problem printing an
appropriate redirect page, and/or attempting to find that type of file on the
filesystem.... so... yeah.

Joe
[...]

It works for me here in testing... Are you linked against pcreposix?

Even so, yeah if you have the time, patches against http.c redirect_reply()
would probably be the best solution.

Joe
[...]

Or I could do it!

http://goochfriend.org/pound_2.6f_xss_redirect_fix.patch

Joe
[...]