/ Zope / Apsis / Pound Mailing List / Archive / 2015 / 2015-08 / RE: [Pound Mailing List] Avoid [i hope] Crime vulnerability on 2.7f upstream

[ << ] [ >> ]

[ Avoid [i hope] Crime vulnerability on 2.7f ... ] [ Redirecting http to https from web application / ... ]

RE: [Pound Mailing List] Avoid [i hope] Crime vulnerability on 2.7f upstream
"Jacob Anderson" <jwa(at)beyond-ordinary.com>
2015-08-12 20:14:45 [ FULL ]
Thanks again Ralph for this great post. Just a little notice about the OpenSSL
install from make. When you use the “/usr” prefix, that tells OpenSSL to
install the binaries into the standard locations - /usr/local/lib, /usr/lib,
etc. Eventhough you specify the openssldir option, the prefix takes precedence.

 

This becomes a problem if you are testing a new version of openssl with a new
pound on a system that has openssl installed via yum.

 

So you should forgo the /usr prefix and just use openssldir when you build the
openssl distro. Then when you use the –with-ssl option in the pound
configure, it will get the correct libraries. 

 

The pound “configure” assumes that the openssl libraries are in
–with-ssl/lib, which they will not be if you specify the prefix=/usr when you
install openSSL from distro.

 

I figured this out after a couple of hours of getting missing symbol errors on
an old centos 5 system.

 

Thanks Ralph!! 

 
[...]
Attachments:  
text.html text/html 7837 Bytes

Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream
Emilio Campos <emilio.campos.martin(at)gmail.com>
2015-08-17 17:19:05 [ FULL ]
Hi Joe, we have been playing with your recommended url and we haven't
obtained an A+ in anyway, on other hand we have applied the Frank's patch:

http://www.apsis.ch/pound/pound_list/archive/2014/2014-09/1411468078000

for your pound2.8a and we have received an +A of SSLlabs.

Currently we haven't found any way of obtain this result without apply this.

Thanks and regards



2015-07-10 20:32 GMT+02:00 Joe Gooch <joseph.gooch(at)k12system.com>:
[...][...]
>>>
>>> Thanks, I'm guessing that there must be an additional patch in
v2.7 that
>>> I've not used in our build
>>>
>>> Time to do some more testing I guess.
>>>
>>>
>>>
>>>
>>> On 10 July 2015 at 09:20, Miroslav Danek
<danek(at)onebit.cz> wrote:
>>>
>>>> Hi Scott,
>>>>
>>>> i use stable 2.7, CentOS 6.6 + openssl 1.0.1e
>>>>
>>>>
>>>> Mirek
>>>>
>>>> On 10. 7. 2015, at 9:56, Scott McKeown
<scott(at)loadbalancer.org> wrote:
>>>>
>>>> Hi Mirek,
>>>>
>>>> What version of pound are you using for this, we have as of
yet net
>>>> been able to get FS with pound...
>>>>
>>>> On 10 July 2015 at 08:31, Miroslav Danek
<danek(at)onebit.cz> wrote:
>>>>
>>>>> Hi Rick,
>>>>>
>>>>> i used this one:
>>>>>
>>>>> Disable SSLv3
>>>>> SSLAllowClientRenegotiation 0
>>>>> SSLHonorCipherOrder 1
>>>>> Ciphers
"HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW"
>>>>>
>>>>> Result A with FS.
>>>>>
>>>>> regards
>>>>> Mirek
>>>>>
>>>>> On 10. 7. 2015, at 9:07, Scott McKeown
<scott(at)loadbalancer.org> wrote:
>>>>>
>>>>> Hi Rick,
>>>>>
>>>>> Your current Cipher list is very open if you can give this
one a go
>>>>> and let us know the report status (we get an A- with no
FS)
>>>>>
>>>>> EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+
>>>>> SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:
>>>>> RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS
>>>>>
>>>>> If you could also post a sanitised copy of your pound
config file we
>>>>> can see what we can do for you.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 9 July 2015 at 22:55, Rick Smith
<dredge999(at)gmail.com> wrote:
>>>>>
>>>>>> I am running Pound 2.7f from
>>>>>> https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip
>>>>>>
>>>>>>
>>>>>> I am also running openssl version 1.01p from Jul 9,
2015.
>>>>>>
>>>>>> I am trying to achieve a better ranking for our SSL
support.
>>>>>>
>>>>>> I have been able to move up to a C rating but for some
reason here
>>>>>> are my results.
>>>>>>
>>>>>> I am using the following ciphers:
RC4-SHA:HIGH:!ADH:!SSLv2:!AES
>>>>>> I enabled the Disable SSLv3 directive and I have the
following also
>>>>>> enabled for the listener:
>>>>>>
>>>>>> SSLAllowClientRenegotiation     0
>>>>>> SSLHonorCipherOrder 1
>>>>>>
>>>>>> This is after much trial and error.  I thought that
this upstream
>>>>>> version disabled TLS compression but it appears to
still be active.
>>>>>>
>>>>>> Questions:
>>>>>>
>>>>>> 1)  How can I disable TLS compression?
>>>>>> 2)  Can I enable TLS 1.1 and 1.2?
>>>>>> 3)  How can I disable support for weak DH key
exchanges?
>>>>>> 4)  WHy isn't PFS enabled?  I assume the ciphers need
fixing?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Rick
>>>>>>
>>>>>>
>>>>>> This server supports weak Diffie-Hellman (DH) key
exchange
>>>>>> parameters. Grade capped to B.   MORE INFO » <https://weakdh.org/>
>>>>>> This server does not mitigate the CRIME attack
>>>>>> <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>.
>>>>>> Grade capped to C.
>>>>>> The server supports only older protocols, but not the
current best
>>>>>> TLS 1.2. Grade capped to C.  MORE INFO »
>>>>>> <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported>
>>>>>> This server accepts the RC4 cipher, which is weak.
Grade capped to B.
>>>>>>  MORE INFO »
>>>>>> <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what>
>>>>>> The server does not support Forward Secrecy with the
reference
>>>>>> browsers.  MORE INFO »
>>>>>> <https://en.wikipedia.org/wiki/Forward_secrecy>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> With Kind Regards.
>>>>>
>>>>> Scott McKeown
>>>>> Loadbalancer.org <http://loadbalancer.org/>
>>>>> http://www.loadbalancer.org
>>>>> Tel (UK) - +44 (0) 3303801064 (24x7)
>>>>> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> With Kind Regards.
>>>>
>>>> Scott McKeown
>>>> Loadbalancer.org
>>>> http://www.loadbalancer.org
>>>> Tel (UK) - +44 (0) 3303801064 (24x7)
>>>> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> With Kind Regards.
>>>
>>> Scott McKeown
>>> Loadbalancer.org
>>> http://www.loadbalancer.org
>>> Tel (UK) - +44 (0) 3303801064 (24x7)
>>> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>>>[...][...]

[...]
Attachments:  
text.html text/html 17827 Bytes
Screen Shot 2015-07-10 at 10.13.37.png image/png 255111 Bytes

Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream
Anthony Tarlano <tony(at)exablox.com>
2015-08-17 21:49:36 [ FULL ]
Robert,

Can we get this patch merged into pound for the community to benefit from
Frank's good work?

Thanks in advanced.

Anthony

On Mon, Aug 17, 2015 at 8:19 AM, Emilio Campos <
emilio.campos.martin(at)gmail.com> wrote:
[...][...]
>>>
>>> openssl dhparam -5 2048 -out dh2048.pem
>>>
>>> Then specify the file for Pound in your config:
>>> DHParams        "/path/to/dh2048.pem"
>>> ECDHCurve       prime256v1
>>>
>>> --
>>> Joe
>>>
>>> Confidentiality Notice: This e-mail transmission may contain
>>> confidential and legally privileged information that is intended
only for
>>> the individual named in the e-mail address. If you are not the
intended
>>> recipient, you are hereby notified that any disclosure, copying,
>>> distribution, or reliance upon the contents of this e-mail message
is
>>> strictly prohibited. If you have received this e-mail transmission
in
>>> error, please reply to the sender, so that proper delivery can be
arranged,
>>> and please delete the message from your mail box.
>>>
>>>
>>>
>>> From: Emilio Campos
>>> Reply-To: "pound(at)apsis.ch"
>>> Date: Friday, July 10, 2015 at 8:02 AM
>>> To: "pound(at)apsis.ch"
>>> Subject: Re: [Pound Mailing List] Crime vulnerability on 2.7f
upstream
>>>
>>> By the way, someone can obtain a A+ with pound2.7 or higher? In my
case
>>> I use 2.8.a with only A.
>>>
>>>
>>> Thanks!
>>>
>>>
>>> 2015-07-10 10:44 GMT+02:00 Scott McKeown
<scott(at)loadbalancer.org>:
>>>
>>>> Hi Mirek,
>>>>
>>>> Thanks, I'm guessing that there must be an additional patch in
v2.7
>>>> that I've not used in our build
>>>>
>>>> Time to do some more testing I guess.
>>>>
>>>>
>>>>
>>>>
>>>> On 10 July 2015 at 09:20, Miroslav Danek
<danek(at)onebit.cz> wrote:
>>>>
>>>>> Hi Scott,
>>>>>
>>>>> i use stable 2.7, CentOS 6.6 + openssl 1.0.1e
>>>>>
>>>>>
>>>>> Mirek
>>>>>
>>>>> On 10. 7. 2015, at 9:56, Scott McKeown
<scott(at)loadbalancer.org> wrote:
>>>>>
>>>>> Hi Mirek,
>>>>>
>>>>> What version of pound are you using for this, we have as
of yet net
>>>>> been able to get FS with pound...
>>>>>
>>>>> On 10 July 2015 at 08:31, Miroslav Danek
<danek(at)onebit.cz> wrote:
>>>>>
>>>>>> Hi Rick,
>>>>>>
>>>>>> i used this one:
>>>>>>
>>>>>> Disable SSLv3
>>>>>> SSLAllowClientRenegotiation 0
>>>>>> SSLHonorCipherOrder 1
>>>>>> Ciphers
"HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW"
>>>>>>
>>>>>> Result A with FS.
>>>>>>
>>>>>> regards
>>>>>> Mirek
>>>>>>
>>>>>> On 10. 7. 2015, at 9:07, Scott McKeown
<scott(at)loadbalancer.org>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Rick,
>>>>>>
>>>>>> Your current Cipher list is very open if you can give
this one a go
>>>>>> and let us know the report status (we get an A- with
no FS)
>>>>>>
>>>>>> EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+
>>>>>> SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:
>>>>>>
RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS
>>>>>>
>>>>>> If you could also post a sanitised copy of your pound
config file we
>>>>>> can see what we can do for you.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 9 July 2015 at 22:55, Rick Smith
<dredge999(at)gmail.com> wrote:
>>>>>>
>>>>>>> I am running Pound 2.7f from
>>>>>>> https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip
>>>>>>>
>>>>>>>
>>>>>>> I am also running openssl version 1.01p from Jul
9, 2015.
>>>>>>>
>>>>>>> I am trying to achieve a better ranking for our
SSL support.
>>>>>>>
>>>>>>> I have been able to move up to a C rating but for
some reason here
>>>>>>> are my results.
>>>>>>>
>>>>>>> I am using the following ciphers:
RC4-SHA:HIGH:!ADH:!SSLv2:!AES
>>>>>>> I enabled the Disable SSLv3 directive and I have
the following also
>>>>>>> enabled for the listener:
>>>>>>>
>>>>>>> SSLAllowClientRenegotiation     0
>>>>>>> SSLHonorCipherOrder 1
>>>>>>>
>>>>>>> This is after much trial and error.  I thought
that this upstream
>>>>>>> version disabled TLS compression but it appears to
still be active.
>>>>>>>
>>>>>>> Questions:
>>>>>>>
>>>>>>> 1)  How can I disable TLS compression?
>>>>>>> 2)  Can I enable TLS 1.1 and 1.2?
>>>>>>> 3)  How can I disable support for weak DH key
exchanges?
>>>>>>> 4)  WHy isn't PFS enabled?  I assume the ciphers
need fixing?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Rick
>>>>>>>
>>>>>>>
>>>>>>> This server supports weak Diffie-Hellman (DH) key
exchange
>>>>>>> parameters. Grade capped to B.   MORE INFO »
<https://weakdh.org/>
>>>>>>> This server does not mitigate the CRIME attack
>>>>>>> <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>.
>>>>>>> Grade capped to C.
>>>>>>> The server supports only older protocols, but not
the current best
>>>>>>> TLS 1.2. Grade capped to C.  MORE INFO »
>>>>>>> <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported>
>>>>>>> This server accepts the RC4 cipher, which is weak.
Grade capped to
>>>>>>> B.  MORE INFO »
>>>>>>> <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what>
>>>>>>> The server does not support Forward Secrecy with
the reference
>>>>>>> browsers.  MORE INFO »
>>>>>>> <https://en.wikipedia.org/wiki/Forward_secrecy>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> With Kind Regards.
>>>>>>
>>>>>> Scott McKeown
>>>>>> Loadbalancer.org <http://loadbalancer.org/>
>>>>>> http://www.loadbalancer.org
>>>>>> Tel (UK) - +44 (0) 3303801064 (24x7)
>>>>>> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> With Kind Regards.
>>>>>
>>>>> Scott McKeown
>>>>> Loadbalancer.org
>>>>> http://www.loadbalancer.org
>>>>> Tel (UK) - +44 (0) 3303801064 (24x7)
>>>>> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> With Kind Regards.
>>>>
>>>> Scott McKeown
>>>> Loadbalancer.org
>>>> http://www.loadbalancer.org
>>>> Tel (UK) - +44 (0) 3303801064 (24x7)
>>>> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>>>>
>>>
>>>
>>>
>>> --
>>> Load balancer distribution - Open Source Project
>>> http://www.zenloadbalancer.com
>>> Distribution list (subscribe):
>>> zenloadbalancer-support(at)lists.sourceforge.net
>>>[...][...]

[...]
Attachments:  
text.html text/html 18879 Bytes
Screen Shot 2015-07-10 at 10.13.37.png image/png 255111 Bytes

MailBoxer