SSL

13th December 2016

in SSL

Loadbalancer.org with Let’s Encrypt, quick and dirty!

Posted by Aaron West 13th December in SSL

Let’s Encrypt offers us a free way to get SSL certs with the aim to be less complex than our current solutions, hmm... Well that sounds pretty cool! I had known about Let’s Encrypt for a while now but never had the need to take the plunge until this weekend.

Continue reading...
16th October 2014

in SSL

The Poodle SSLv3 – UPDATED – Updated Again

Posted by Andrei Grigoraş 16th October in SSL

So here we go again...  Another vulnerability has been found in OpenSSL. However, this is very hard to exploit and requires the hacker to have control of your wireless hotspot or network. If that's the case, then you're in trouble anyway!

Continue reading...
18th June 2014

in HAProxy

Source IP Addresses, STunnel, HAProxy and Server Logs

Posted by Rob Cooper 18th June in HAProxy

When using proxies such as STunnel and HAProxy it's easy to loose track of the client source IP address. This occurs for example when HAProxy is used in it's default configuration to load balance a number of back-end web servers. By default, the source IP address of the packet reaching the web servers is the IP address of the load balancer and not the IP address of the client. One way around this is to enable X-Forward-For headers for HAProxy (the default for Loadbalancer.org appliances) and configure the web servers to track the IP address in this header. For more details on enabling this for IIS and Apache web servers, please see IIS and X-Forwarded-For Headers and Apache and X-Forwarded-For Headers. For more complicated scenarios where SSL termination is also required on the load balancer and the original source IP address is still required, additional steps are needed.

Continue reading...
9th June 2014

in SSL

Heartbleed 2.0? Not exactly but more OpenSSL issues have been found

Posted by Rob Cooper 9th June in SSL

In the wake of the recent Heartbleed Bug another series of OpenSSL vulnerabilities have been found. Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not. However if successfully exploited, there is potential for eavesdropping and traffic manipulation (CVE-2014-0224) as well as running arbitrary code on the vulnerable client or server (CVE-2014-0195).

Continue reading...
10th April 2014

in SSL

Loadbalancer.org releases patch for the OpenSSL heartbleed vulnerability CVE-2014-0160

Posted by Rob Cooper 10th April in SSL

The bug is in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Continue reading...
8th November 2013

in Load Balancing

SSL Offload Testing with HAProxy and Stunnel

Posted by Mark Brookes 8th November in Load Balancing

There are a lot of SSL offload throughput statistics available for appliances across the internet but rarely do they detail the way they were tested (probably because a lot of the numbers are inflated for marketing purposes). We at Loadbalancer.org would like to improve the standard across the industry by being transparent about how exactly we have tested our appliances for SSL performance:

Continue reading...
13th June 2012

in SSL

SSL Termination & The BEAST

Posted by Andrei Grigoraş 13th June in SSL

Over the last few weeks we have seen more and more users reporting that they have run a security check on the SSL certificate thats installed on their Loadbalancer appliance using the Trustworty Internet Movement web site (https://www.trustworthyinternet.org/ssl-pulse/). The idea behind the site is basically to test as many SSL certificates on the Internet as possible and check for any vulnerabilities like having SSLv2 enabled or weak Key Cipher lists. The test takes about 2 minutes to run and will give you a report on the status of your SSL Certificate and the associated services that it uses. From this we found that the version of Pound SSL Proxy that we were using with our v6.x appliance was not as secure as it could be. Which has lead to a new release of our hardware software to v6.19. NB. 'not as secure as it could be' does not mean a security problem, the BEAST attack is really a client side attack and nothing to do with load balancers <- Annoying comment added by Editor :-).

Continue reading...
Live chat
› Operator: Theo › Theo: Can I help you?
Click here to chat |
Send