Disable SSLv3 with Plesk?
Disable SSLv3 with Plesk?
I'm having problems disabling SSLv3 in the apache configuration on a Plesk box. I'm wondering if I'm looking in the wrong place for the config file?
I'm editing /etc/httpd/conf.d/ssl.conf
and I'm adding SSLProtocol all -SSLv2 -SSLv3 at the bottom of the file (commenting out the default settings) and restarting apache.
But when I use one of the better SSL test websites, it tells me "Server has SSL v3 enabled"
I've checked httpd.conf and there's nothing protocol-related in there.
There is no httpsd.conf.
Other changes I mage in ssl.conf do have an effect. It only seems to be SSLv3 that I can't disable.
And if the currently circulating news is accurate then I really need to get this disabled both for the webserver apache and the Plesk nginx ASAP
I'm editing /etc/httpd/conf.d/ssl.conf
and I'm adding SSLProtocol all -SSLv2 -SSLv3 at the bottom of the file (commenting out the default settings) and restarting apache.
But when I use one of the better SSL test websites, it tells me "Server has SSL v3 enabled"
I've checked httpd.conf and there's nothing protocol-related in there.
There is no httpsd.conf.
Other changes I mage in ssl.conf do have an effect. It only seems to be SSLv3 that I can't disable.
And if the currently circulating news is accurate then I really need to get this disabled both for the webserver apache and the Plesk nginx ASAP
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Disable SSLv3 with Plesk?
This is a very secure mod_ssl configuration that we use on most non-ASL machines (which does not allow SSLv3):
If you are using ASL, than this configuration will be overwritten by 'asl -s -f' to the following (which does allow SSLv3):
Code: Select all
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
Code: Select all
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Lemonbit Internet Dedicated Server Management
Re: Disable SSLv3 with Plesk?
On a related note, on a quick test, it appears that if we leave the ASL lines in the ssl conf but comment them out:
#SSLProtocol all -SSLv2
#SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
allows:
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
to not be overwritten when asl -s -f is run.
#SSLProtocol all -SSLv2
#SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
allows:
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
to not be overwritten when asl -s -f is run.
Re: Disable SSLv3 with Plesk?
Cheers for that. Very useful. Thanks.
I've not had my ssl.conf overwritten by ASL ever - maybe it is a config option that's causing it for you?
On the positive side, I think I see what my problem is.
I was assuming that SSLProtocol was where I was supposed to switch SSLv3 off. But I note that the default SSLCipherSuite also has !SSLv2 and I'm guessing adding a !SSLv3 is what I need to do on that line as well.
I'm experimenting now! Thanks again.
I've not had my ssl.conf overwritten by ASL ever - maybe it is a config option that's causing it for you?
On the positive side, I think I see what my problem is.
I was assuming that SSLProtocol was where I was supposed to switch SSLv3 off. But I note that the default SSLCipherSuite also has !SSLv2 and I'm guessing adding a !SSLv3 is what I need to do on that line as well.
I'm experimenting now! Thanks again.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Disable SSLv3 with Plesk?
Actually, your config may be too secure. I can't view pages in IE11.
Anyway, I do seem to have found a way to disable SSLv3 though, just by using your Protocols with my SSLCipherSuite
The above is from Parallel's KB about passing PCI tests.
Anyway, I do seem to have found a way to disable SSLv3 though, just by using your Protocols with my SSLCipherSuite
Code: Select all
SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:!MD5:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4+RSA:+HIGH:+MEDIUM
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Disable SSLv3 with Plesk?
Hm. Are there any recommendations from Atomicorp regarding poodle?
What is the best and secure but most compatible setting...
...for apache with Plesk
...tortix
...psaproftpd
Thanks
What is the best and secure but most compatible setting...
...for apache with Plesk
...tortix
...psaproftpd
Thanks
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Disable SSLv3 with Plesk?
>...for apache with Plesk
Available in the -testing channel right now, will be released in ASL 4.0.7. Potential client breakage with older microsoft browsers
> ...tortix
On by default, nothing to do here. Good place to test aforementioned client browsers for compatility
> ...psaproftpd
Blocking issue, many clients do not support enforced TLS only transfers. Likelihood of a major disruption with this. Otherwise TLS as an option is available in ASL 4.0.6 now
Courier IMAP
Available in the -testing channel now, will be released in ASL 4.0.7. Some potential for client breakage
Available in the -testing channel right now, will be released in ASL 4.0.7. Potential client breakage with older microsoft browsers
> ...tortix
On by default, nothing to do here. Good place to test aforementioned client browsers for compatility
> ...psaproftpd
Blocking issue, many clients do not support enforced TLS only transfers. Likelihood of a major disruption with this. Otherwise TLS as an option is available in ASL 4.0.6 now
Courier IMAP
Available in the -testing channel now, will be released in ASL 4.0.7. Some potential for client breakage
Re: Disable SSLv3 with Plesk?
thank you very much
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4152
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Disable SSLv3 with Plesk?
Just set APACHE_SSLPROTOCOL in ASL to "TLS only".
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Disable SSLv3 with Plesk?
I assume it doesn't alter the Plesk panel's webserver config?
Can that be added to the wishlist please?
Are the changes it makes documented? e.g. what cipher suites and so on?
(edit: It doesn't seem to work for me - no changes to ssl.conf after setting it to TLS in ASL)
Heads-up though: new openssl packages with TLS_FALLBACK_SCSV and DoS bugfixes should be hitting the centos mirrors any moment now.
Can that be added to the wishlist please?
Are the changes it makes documented? e.g. what cipher suites and so on?
(edit: It doesn't seem to work for me - no changes to ssl.conf after setting it to TLS in ASL)
Heads-up though: new openssl packages with TLS_FALLBACK_SCSV and DoS bugfixes should be hitting the centos mirrors any moment now.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Disable SSLv3 with Plesk?
Not yet, since they moved to nginx it messed up all the paths.
Re: Disable SSLv3 with Plesk?
From what I gather the SSL configuration for the following services are not yet hardened by ASL:
- Plesk admin interface
- SMTPS via Qmail or Postfix
- Nginx
Tip: remember to restart your services after having applied the ASL update to activate the more secure SSL configuration.
- Plesk admin interface
- SMTPS via Qmail or Postfix
- Nginx
Tip: remember to restart your services after having applied the ASL update to activate the more secure SSL configuration.
Lemonbit Internet Dedicated Server Management
Re: Disable SSLv3 with Plesk?
Upgraded to ASL 4.0.7-18.
APACHE_SSLPROTOCOL set to "TLS only".
APACHE_SSLCIPHERSUITE set to "strong".
Restarted Apache.
http://www.ssllabs.com/ssltest, curl & openssl tests still report SSL3 as ENABLED & INSECURE
/etc/httpd/conf.d/ssl.conf appears to have the correct settings:
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
Have tried adding !SSLv2:!SSLv3 to SSLCipherSuite and -SSLv2 -SSLv3 to SSLProtocol, no difference.
Any ideas what else to check? Are others managing to disable SSLv3 via ASL?
Thanks!
APACHE_SSLPROTOCOL set to "TLS only".
APACHE_SSLCIPHERSUITE set to "strong".
Restarted Apache.
http://www.ssllabs.com/ssltest, curl & openssl tests still report SSL3 as ENABLED & INSECURE
/etc/httpd/conf.d/ssl.conf appears to have the correct settings:
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
Have tried adding !SSLv2:!SSLv3 to SSLCipherSuite and -SSLv2 -SSLv3 to SSLProtocol, no difference.
Any ideas what else to check? Are others managing to disable SSLv3 via ASL?
Thanks!
Re: Disable SSLv3 with Plesk?
Are you using Nginx on Plesk? ASL is not (yet?) hardening the SSL configuration for Nginx.
Edit the following files. Note that file paths may differ depending on Plesk version.
Read http://kb.sp.parallels.com/en/123160 and do not forget to run "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" after having modified the template files.
Edit the following files. Note that file paths may differ depending on Plesk version.
Code: Select all
grep -rin ssl_protocols /usr/local/psa/admin/conf/templates/
Lemonbit Internet Dedicated Server Management
Re: Disable SSLv3 with Plesk?
This is getting seriously kooky.
On the system I was having problems disabling SSLv3 originally, everything is now fine and changes to ssl.conf have an immediate effect (after restarting apache).
But on another system I'm back to square one. Using exactly the same ssl.conf SSLProtocol, CipherSuite and HonorCiphersuite as the one that passes the main tests and doesn't have SSLv3 enabled, nothing I do seems to disable SSLv3.
Other changes make do seem to be noticed. (e.g. I can go down to a grade B using the qualys-suggested ciphersuite line while I get an A- when using the plesk PCI one).
No nginx involved for me.
There must surely be some other file adding to or subtracting from the configuration in some way I'm not aware of. I'm guessing it is changing the SSLProtocol but not the SSLCiphersSuite
EDIT!!! D'oh! Some moron had added SSLProtocol all -SSLv2 right at the end of httpd.conf which was overriding the setting in ssl.conf. I wonder who did that? [FACEPALM]. Problem solved.
On the system I was having problems disabling SSLv3 originally, everything is now fine and changes to ssl.conf have an immediate effect (after restarting apache).
But on another system I'm back to square one. Using exactly the same ssl.conf SSLProtocol, CipherSuite and HonorCiphersuite as the one that passes the main tests and doesn't have SSLv3 enabled, nothing I do seems to disable SSLv3.
Other changes make do seem to be noticed. (e.g. I can go down to a grade B using the qualys-suggested ciphersuite line while I get an A- when using the plesk PCI one).
No nginx involved for me.
There must surely be some other file adding to or subtracting from the configuration in some way I'm not aware of. I'm guessing it is changing the SSLProtocol but not the SSLCiphersSuite
EDIT!!! D'oh! Some moron had added SSLProtocol all -SSLv2 right at the end of httpd.conf which was overriding the setting in ssl.conf. I wonder who did that? [FACEPALM]. Problem solved.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>