POODLE Ciphers !SSLv3 = Protocol or cipher suite mismatch

Question

According to: ANNOUNCE: Pound - reverse proxy and load balancer - v2.7d / Robert Segall , following enhancement was added:

- added "Disable PROTO" directives (fix for Poodle vulnerability)

My system:

[root@6svprx01 ~]# uname -a
Linux 6svprx01.XXX.org 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@6svprx01 ~]# rpm -q Pound
Pound-2.6-2.el6.x86_64
[root@6svprx01 ~]# grep Ciphers /etc/pound.cfg
    Ciphers    "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM"
[root@6svprx01 ~]#

... to address POODLE SSLv3, I added !SSLv3 into Ciphers.

Yet while using Qualys SSL Labs - Projects / SSL Server Test to test, I get Protocol or cipher suite mismatch in Handshake Simulation.

Is there a way to address this WITHOUT upgrading to Pound v2.7d (beta) and then using new directives?

@MichaelHampton list is quite large, so I paste it here: http://pastebin.com/X9v3H3GZ — alexus, Oct 23 '14 at 21:11
That's most of them... You need [a new list of ciphers](http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/). — Michael Hampton, Oct 23 '14 at 21:42
Still looking for a solution to this myself. I'd add a bounty if I had enough ServerFault rep :-( — anschauung, Oct 28 '14 at 17:34
@anschauung I posted solution for you (and others) in answer section) — alexus, Oct 28 '14 at 23:22

alexus · Accepted Answer · 2016-02-11T16:38:53.840

3

one can use goochjj/pound at pcidss/v2.6 branch, which is Pound 2.6, plus cipher and protocol patches necessary (initially) to pass PCI compliance, and as part of that is the directive to disable SSL3.

# grep DisableSSL /etc/pound.cfg
    DisableSSLv3
    DisableSSLv2
#

* UPDATE *

DisableSSLv3 appears to be unknown directive using non-patched Version 2.6, use -SSLv3:-SSLv2 inside of Ciphers.

edited Feb 11 '16 at 16:38

answered Oct 28 '14 at 23:21

alexus

12,342
27
115
173

Perfect -- many thanks! Adding a few additional notes in a separate response, in case others come across them as well. – anschauung Oct 29 '14 at 13:02

score 1 · Answer 2 · answered Oct 29 '14 at 13:10

@alexus's answer above worked perfectly for me. Adding some additional notes here in case others come across this page as I did. There doesn't seem to be a lot of good guidance out there for this specific combination of problems.

1) The reason for the original problem is that the non-patched version of Pound disables all SSLv3 ciphers when one adds !SSLv3 to Ciphers. TLS mostly depends on the same ciphers, and won't work well without them.

2) Older versions of GCC will give an error when you try to run ./configure on the patched version in @alexus's link, since it doesn't recognize the -Wno-unused-result flag. I removed that manually and everything seems to run fine after.

3) The DisableSSLv3 directive goes inside the ListenHTTPs block in pound.cfg (next to the Ciphers directive)

`DisableSSLv3` appears to be `unknown directive` using non-patched `Version 2.6`; I wasn't able to use `!SSLv3` inside of `Ciphers`, yet `-SSLv3:-SSLv2` works! — alexus, Feb 11 '16 at 16:34

POODLE Ciphers !SSLv3 = Protocol or cipher suite mismatch

2 Answers2

Linked