Pen 0.27.3 released

Available here:

And also here:

Several new configuration options dealing with securing SSL.

ssl_option no_sslv2 turns off SSL2. This has been the default for ages. Nobody should use SSL2 anymore.

ssl_option no_sslv3 turns off SSL3, sacrificing compatibility with Windows XP but also “sacrificing” the associated vulnerabilities.

ssl_option no_tlsv1 turns off TLS1, again sacrificing a bit of compatibility for a bit of security.

ssl_option cipher_server_preference Prefer the ciphers listed at the beginning of the cipher list (see next item).

ssl_ciphers CIPHERS Specify a list of ciphers to support. By default, Pen will use whatever OpenSSL thinks the default should be, and that list will be different depending on the version of OpenSSL and the options used when compiling OpenSSL.

See here for a suggested configuration with intermediate compatibility but still good security:

Perfect Forward Secrecy

The default maximum number of connections has been 256 since Pen’s inception in 2000. Today that is ridiculously conservative since Pen will gladly handle tens of thousands of connections on a Raspberry Pi:

The Great Load Balancer Shootout…
Let’s double that one more time

The default is now bumped to 500; still very conservative.

Full list of changes since 0.27.2:

150330 Added autoconf check that the ECDHE is available and not disabled.
Bumped default max connections and listen queue to 500.

150326 Support for ECDHE cipher suites.

150325 New commands ssl_option and ssl_ciphers to individually disable
insecure protocols and ciphers.

150324 Updated penctl.1 with the new command.

150322 New knob to tweak max number of pending nonblocking connection
attempts: pending_max N (default 100).


Leave a Reply

Your email address will not be published. Required fields are marked *