Pound and the BEAST CRIME vulnerability

Ok that subject is awful.

In any case preventing the BEAST or CRIME exploits is pretty easy, but does require manually compiling Pound…

Grab the current version, apply the patch. Apply the other patch. Compile. Make. Make install. Get an A.

Always, always verify your files and patches before applying them! I’m not responsible if things break, etc, etc!

wget http://www.apsis.ch/pound/Pound-2.6.tgz
tar xf Pound-2.6.tgz
cd Pound-2.6
wget https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch
patch -i 2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch

I realise I should make a patch file but I’m in a bit of a rush!
after applying the patch above open up config.c and jump to line 1138.

Underneath SSL_CTX_set_options(pc->ctx, ssl_op_enable);

add SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION);

Save it, run ./configure, make, make install
Restart pound

Obtain your A grade on SSL Labs

Leave a Reply