Not possible to disable SSLv3

Debian Bug report logs - #765539
Not possible to disable SSLv3

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Brian May <brian@microcomaustralia.com.au>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Not possible to disable SSLv3

Date: Thu, 16 Oct 2014 12:05:13 +1100

[Message part 1 (text/plain, inline)]

Package: pound
Version: 2.6-4
Severity: important
Tags: security

Hello,

I can't see anyway of disabling SSLv3 in Pound, which is now considered
insecure.

In additional, https://www.ssllabs.com/ssltest/ reports that "Secure
Client-Initiated Renegotiation" is supported, and flags this as a security
issue. This is despite the fact that the man page say the default for
SSLAllowClientRenegotiation is 0, which is disabled. I tried including
"SSLAllowClientRenegotiation 0" in my configuration, but it didn't help.

Thanks.
-- 
Brian May <brian@microcomaustralia.com.au>

[Message part 2 (text/html, inline)]

Message #10 received at 765539@bugs.debian.org (full text, mbox, reply):

From: Antoni Villalonga <antoni@friki.cat>

To: 765539@bugs.debian.org

Subject: RE: Not possible to disable SSLv3

Date: Thu, 16 Oct 2014 19:31:30 +0000

[Message part 1 (text/plain, inline)]

Hi,

I've been checking this issue and now I've a patch for it (attached).
Add «Protocols "TLSv1"» after Ciphers line in pound.cfg to dissable
SSLv2&SSLv3.
It is an approach of SSLProtocols in Apache mod_ssl. Needs more work.

Hope it helps!

PS: I'll try to rewrite the patch in order to be more 'compatible' with other
Pound patches in Debian

-- 
Antoni Villalonga
http://friki.cat/

[anti_poddle.patch (text/x-diff, attachment)]

Message #15 received at 765539@bugs.debian.org (full text, mbox, reply):

From: Brian May <brian@microcomaustralia.com.au>

To: Antoni Villalonga <antoni@friki.cat>, 765539@bugs.debian.org

Subject: Re: Bug#765539: Not possible to disable SSLv3

Date: Fri, 17 Oct 2014 11:05:48 +1100

On Thu, Oct 16, 2014 at 07:31:30PM +0000, Antoni Villalonga wrote:
> I've been checking this issue and now I've a patch for it (attached).
> Add «Protocols "TLSv1"» after Ciphers line in pound.cfg to dissable
> SSLv2&SSLv3.
> It is an approach of SSLProtocols in Apache mod_ssl. Needs more work.

I can confirm that this patch, with a minor conflict resolved, lets me
disable SSLv3.

I still get 2 warnings from ssllabs, think I will open separate bug
reports on these.

Message #28 received at 765539-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 765539-close@bugs.debian.org

Subject: Bug#765539: fixed in pound 2.6-2+deb7u1

Date: Sat, 09 May 2015 19:17:39 +0000

Source: pound
Source-Version: 2.6-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
pound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 765539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated pound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 May 2015 19:01:01 +0200
Source: pound
Binary: pound
Architecture: source amd64
Version: 2.6-2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 pound      - reverse proxy, load balancer and HTTPS front-end for Web servers
Closes: 723731 727197 765539 765649
Changes: 
 pound (2.6-2+deb7u1) wheezy-security; urgency=high
 .
   [ Brett Parker ]
   * Add anti_poodle patch (CVE-2014-3566, Closes: #765539)
     - It's now possible to disable SSLv3 with the "DisableSSLv3"
       directive in pound.cfg. It's however not disabled by default.
   * Disable tls compression patch (CVE-2012-4929, Closes: 727197)
   * Add missing chunk to renegotiation patch
     (CVE-2009-3555, Closes: #765649).
   * don't wrongly encode = in redirect (Closes: #723731)
 .
   [ Thijs Kinkhorst ]
   * Upload to wheezy-security.
Checksums-Sha1: 
 0d053e7aa0b9ef3df63b4bfb48d7c3fc841448a1 1390 pound_2.6-2+deb7u1.dsc
 530a428ae8a94fc48f0b6037f3a601e24e65589e 14484 pound_2.6-2+deb7u1.debian.tar.gz
 419684622a84fe3f478dd7c43ba58e01d0637972 111460 pound_2.6-2+deb7u1_amd64.deb
Checksums-Sha256: 
 f004ebc81adafcc80a843c159cfa9c36141a58645998d7719a58fb1960d374fb 1390 pound_2.6-2+deb7u1.dsc
 6c660935044ff9312d5b3d9352cecb5f850789536aaa0cbff6d2795f4bc4fb83 14484 pound_2.6-2+deb7u1.debian.tar.gz
 5843e46e1eba7ae1541da5519c2d1ee45cf573eaafc224a88cfc003080e00530 111460 pound_2.6-2+deb7u1_amd64.deb
Files: 
 8fc92ddeeb6236269c94da7c1ef5fafa 1390 net extra pound_2.6-2+deb7u1.dsc
 e2e69d160d3afe029ce72dab96adeceb 14484 net extra pound_2.6-2+deb7u1.debian.tar.gz
 fa2e71f92b1fd17b937cdf6b9a7a5af6 111460 net extra pound_2.6-2+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVS6d8AAoJEFb2GnlAHawEZ18H/3WjyP5Ps5nlA6fEj3fpo1gZ
f4gBpt5N0wsyl3MX0levnswwKtBRvwdwHuHZcElGIA6m1AOZpTnyvk4SOvaN05RN
+3ZrlWc6bMUaPetiaY8vhCFJkcupEgwG3zHrA7DaB9uCELwacrQJFj+97g6fju6N
Se9+3D6ItyFRaf38WD2iNtClpnPJLMZ9TMeDSxPc+RZyfGYn3LUNOJ5VdaN4G0HG
g7HMZD9hzvTE4cmxDgOdizwBWSbFEC9p6HfHp2+fw7A6mhMMYUFd+fKEnZe5s3l8
iwN9tIdrnIWBOoUyNcdM26FHkLxDhbDL0MRHGlHhowMbex10GrOLr+B1qMfRGkA=
=wpYr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.