Hi,
I've been checking this issue and now I've a patch for it (attached).
Add «Protocols "TLSv1"» after Ciphers line in pound.cfg to dissable
SSLv2&SSLv3.
It is an approach of SSLProtocols in Apache mod_ssl. Needs more work.
Hope it helps!
PS: I'll try to rewrite the patch in order to be more 'compatible' with other
Pound patches in Debian
--
Antoni Villalonga
http://friki.cat/
--- Pound-2.6/config.c 2011-12-28 14:57:45.000000000 +0100
+++ Pound-2.6b/config.c 2014-10-16 20:16:46.826102888 +0200
@@ -76,7 +76,7 @@
static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
-static regex_t ClientCert, AddHeader, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
+static regex_t ClientCert, AddHeader, Ciphers, Protocols, CAlist, VerifyList, CRLlist, NoHTTPS11;
static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName;
static regmatch_t matches[5];
@@ -1034,8 +1034,23 @@
if(res->ctx == NULL)
conf_err("Ciphers may only be used after Cert - aborted");
lin[matches[1].rm_eo] = '\0';
- for(pc = res->ctx; pc; pc = pc->next)
- SSL_CTX_set_cipher_list(pc->ctx, lin + matches[1].rm_so);
+ int ssl_ctx_set_cipher_list_return;
+ for(pc = res->ctx; pc; pc = pc->next) {
+ ssl_ctx_set_cipher_list_return = SSL_CTX_set_cipher_list(pc->ctx, lin + matches[1].rm_so);
+ //printf("~DEBUG Pound (config.c:1042): %s => %d~\n", lin + matches[1].rm_so, ssl_ctx_set_cipher_list_return);
+ }
+ } else if(!regexec(&Protocols, lin, 4, matches, 0)) {
+ has_other = 1;
+ if(res->ctx == NULL)
+ conf_err("Protocols may only be used after Cert - aborted");
+ lin[matches[1].rm_eo] = '\0';
+ for(pc = res->ctx; pc; pc = pc->next) {
+ if (!strcmp("TLSv1", (lin + matches[1].rm_so))) {
+ int SSL_CTX_set_options_sslv2 = SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2);
+ int SSL_CTX_set_options_sslv3 = SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3);
+ //printf("~DEBUG Pound (config.c:1053): SSLv2 %d // SSLv3 %d~\n", SSL_CTX_set_options_sslv2, SSL_CTX_set_options_sslv3);
+ }
+ }
} else if(!regexec(&CAlist, lin, 4, matches, 0)) {
STACK_OF(X509_NAME) *cert_names;
@@ -1306,6 +1321,7 @@
|| regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&Protocols, "^[ \t]*Protocols[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CRLlist, "^[ \t]*CRLlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1464,6 +1480,7 @@
regfree(&ClientCert);
regfree(&AddHeader);
regfree(&Ciphers);
+ regfree(&Protocols);
regfree(&CAlist);
regfree(&VerifyList);
regfree(&CRLlist);
