/ Zope / Apsis / Pound Mailing List / Archive / 2014 / 2014-10 / Pound POODLE patches

[ << ] [ >> ]

[ Disable ssl v3 / Kaye Ng <kng(at)objectmastery.... ] [ ANNOUNCE: Pound - reverse proxy and load balancer ... ]

Pound POODLE patches
Joe Gooch <mrwizard(at)k12system.com>
2014-10-16 17:03:23 [ FULL ]
Both pcidss/v2.6 and stage_for_upstream/v2.7c have been updated with
patches that implement config options for
DisableSSLv3
DisableTLSv10
DisableTLSv11
DisableTLSv12
(if I was going to do one, I might as well do them all)

In addition there's a backend config option
TLSFallbackSCSV


Each option is only available to you if your OpenSSL library supports it.

My research on TLS_FALLBACK_SCSV is that the client has to set this in
their Hello header.  The server just processes that as part of the
handshake.  That's why there's only an option for HTTPS backends to use
it - the case when pound is the client.  HTTPS Listeners should
implicitly use this option if it's baked into your openssl library.

Stage for upstream branch:
https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7c
Zip here:
https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7c.zip

PCIDSS branch
https://github.com/goochjj/pound/tree/pcidss/v2.6
Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip


Please test and let me know if you have any issues.

Joe

MailBoxer