POODLE Ciphers !SSLv3 = Protocol or cipher suite mismatch

openssl poodle pound

According to: ANNOUNCE: Pound - reverse proxy and load balancer - v2.7d / Robert Segall , following enhancement was added:

- added "Disable PROTO" directives (fix for Poodle vulnerability)

My system:

[root@6svprx01 ~]# uname -a
Linux 6svprx01.XXX.org 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@6svprx01 ~]# rpm -q Pound
Pound-2.6-2.el6.x86_64
[root@6svprx01 ~]# grep Ciphers /etc/pound.cfg
    Ciphers    "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM"
[root@6svprx01 ~]#

... to address POODLE SSLv3, I added !SSLv3 into Ciphers.

Yet while using Qualys SSL Labs - Projects / SSL Server Test to test, I get Protocol or cipher suite mismatch in Handshake Simulation.

Is there a way to address this WITHOUT upgrading to Pound v2.7d (beta) and then using new directives?


Solution 1:

one can use goochjj/pound at pcidss/v2.6 branch, which is Pound 2.6, plus cipher and protocol patches necessary (initially) to pass PCI compliance, and as part of that is the directive to disable SSL3.

# grep DisableSSL /etc/pound.cfg
    DisableSSLv3
    DisableSSLv2
#

* UPDATE *

DisableSSLv3 appears to be unknown directive using non-patched Version 2.6, use -SSLv3:-SSLv2 inside of Ciphers.

Solution 2:

@alexus's answer above worked perfectly for me. Adding some additional notes here in case others come across this page as I did. There doesn't seem to be a lot of good guidance out there for this specific combination of problems.

1) The reason for the original problem is that the non-patched version of Pound disables all SSLv3 ciphers when one adds !SSLv3 to Ciphers. TLS mostly depends on the same ciphers, and won't work well without them.

2) Older versions of GCC will give an error when you try to run ./configure on the patched version in @alexus's link, since it doesn't recognize the -Wno-unused-result flag. I removed that manually and everything seems to run fine after.

3) The DisableSSLv3 directive goes inside the ListenHTTPs block in pound.cfg (next to the Ciphers directive)

Related

.htaccess block access when HTTP_HOST is IP (Security)
XenServer 6.2 VM 100% CPU and 100% memory usage and won't boot
How to check which SMB Version is enabled on Windows Server 2008 R2
Nginx reverse proxy making root webapp into custom path
Use CNAME for SMTP Server
How to allow FTP on Google Compute Engine Windows VM?
Can other Windows Servers be in the same AD domain with a Windows Essentials server?
Turning multiple lines into one comma separated line [duplicate]
Nullable types: better way to check for null or zero in c#
How to set heap size for sbt?
Clear screen in shell
How to insert data to MySQL having auto incremented primary key?