1

I am fairly new to Pound cfg and SSL in general and working on learning. Tried a few things I found on Google related to setting Ciphers but they failed.

We are having an issue with Firefox after setting Ciphers in Pound to not allow SSLv3. Firefox tells customers that the system is not setup properly, so it is blocking them. Here is what I am trying to do.

Disallow SSLv3, SSLv2 via Pound Cfg file. Here is what I have tried: 

Ciphers "All:!SSLv2:!SSLv3"

We are using SHA2 through Godaddy for Cert and SHA256 for key. When I test via https://dev.ssllabs.com/ssltest/ we get a giant F. Any ideas?

Any and all help is greatly appreciated. Thanks!

McKeder
  • 41
  • 9
  • *`Ciphers "All:!SSLv2:!SSLv3"`* - `SSLv2` and `SSLv3` are protocols, not ciphers. `Ciphers "HIGH:!aNULL:!MD5:!RC4"` is probably closer to what you want to keep the browsers happy. Also see Apache's [Protocol](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol) and [CipherSuites](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite) documentation, which Pound seems to mostly follow. – jww Apr 05 '16 at 22:50

1 Answers1

0

"Ciphers" is used to configure the cipher suites, not the SSL/TLS protocols. According to the man page, you want to do this:

Disable SSLv3

Note that Disable works by disabling that protocol and all lesser protocols, so disabling SSLv3 also disables SSLv2 along with it.

You will probably want to configure Ciphers as well. Exactly how you configure it depends on what browsers and user agents you want to support, but you can get started with:

Ciphers: "EECDH+AESGCM:AES128+EECDH"
vcsjones
  • 138,677
  • 31
  • 291
  • 286
  • Thanks. The one thing I found is that Disable SSLv3 throws errors for us. My guess is we are using an older version of Pound for CentOS. I will have to look at upgrading that in off hours and report back if it works. – McKeder Apr 06 '16 at 13:39
  • 1
    Thanks. This worked for me. I really appreciate the help! I have learned quite a bit about this process and SSL in general. – McKeder Apr 07 '16 at 13:16