store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Dec 06, 2019 6:23 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 26 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Thu Oct 16, 2014 4:24 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
OK, for completeness, here's what works for me and is what qualys recommends (in a blog post)

Code:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS


This enables FS on a lot of browsers as an added bonus as well.

However, be aware of the following oddity:

Code:
IE Mobile 11 / Win Phone 8.1  Protocol or cipher suite mismatch  Fail


And also it doesn't work with IE6 under XP.

To make it more secure still, you could add :!RC4 to the end, as per the qualys blog post, but I find this stops most things from working so I'm not sure what that's all about. You could also try adding :+RC4:RC4 to enable it as a last resort thing, which seems like a reasonable compromise.

Anyway, see https://community.qualys.com/blogs/secu ... rd-secrecy to decide for yourself.

Note that the syntax being used on that page is slightly different to the one I use, i.e. the cyphersuite is in quotes with spaces as delimiters, as opposed to using no quotes and using : as a delimiter.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Thu Oct 16, 2014 4:38 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
very slightly OT, but when I configure imap-ssl and pop3d-ssl to Parallel's suggested

Code:
TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"


my logs filled up with

Code:
couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher


Obviously something is trying to use SSLv3 and this is simply logging the event, but it is making the logs unreadable as there are so many of them.

So I'm leaving it enabled for now.....

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Fri Oct 17, 2014 2:41 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 661
How would you disable SSL v3 for the plesk control panel itself for us folks who are stuck on the 9.5 linux release?


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Sat Oct 18, 2014 6:05 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
hostingguy wrote:
How would you disable SSL v3 for the plesk control panel itself for us folks who are stuck on the 9.5 linux release?


That's not nginx, but still Apache right? I believe it is located at /usr/local/psa/admin/conf/httpsd.conf but we run no 9.5 boxes anymore, so I cannot confirm.

For Plesk 11.5 and up:
Code:
echo "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" > /etc/sw-cp-server/conf.d/zz_poodle_mitigation.conf
service sw-cp-server condrestart

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Sat Oct 18, 2014 9:03 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.

Right at the bottom of http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.

Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable:

Basically I added a line that says:

Code:
echo 'ssl.use-sslv3 = "disable"'

under the similar line for sslv2 then restarted sw-cp-server

Unfortunately it has had no effect in my tests using openssl s_client -connect domain.tld:8443 -ssl3 which seems to connect just fine. And yes, I really did restart sw-cp-server before testing.

I also get odd results when using -ssl2 -no handshake errors, but I do get a "no peer certificates available" and other odd output.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Sat Oct 18, 2014 12:38 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
faris wrote:
I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.

Right at the bottom of http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.

Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable


Sure that doesn't do the trick? Check if /etc/sw-cp-server/applications.d/plesk.socket.sh contains a reference to the ssl-conf.sh file. From older forum posts and documentation it is "implicit" that the way to disable SSLv3 for Plesk 10.4.4 is identical to Plesk 11.0. (Unfortunately I could not verify as we do not run any Plesk 10 servers anymore.)

Output should be like this:
Code:
# openssl s_client -connect localhost:8443 -ssl3
CONNECTED(00000003)
***:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
***:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
[...]

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Sat Oct 18, 2014 12:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Another way to test this if you have the atomic build of nmap:

nmap --script ssl-enum-ciphers <IP>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Sat Oct 18, 2014 1:02 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
This is cool!

Code:
nmap --script ssl-enum-ciphers localhost -p 8443


While you're at it, also remove the following ciphers from /usr/local/psa/admin/conf/cipher.lst on Plesk 10.4/11.0 servers: ADH-AES256-SHA and ADH-DES-CBC3-SHA. It appears you don't have to do this on Plesk 11.5 or higher.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Mon Oct 20, 2014 4:57 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
If you want to use the strong recommended SSLCipherSuite but still want to allow IE on WinXP (yeah, I know...) you can use:
Code:
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:RC4+RSA


I recommend that you use it in combination with SSLHonorCipherOrder to ensure that modern browsers don't use RC4.
Code:
SSLHonorCipherOrder On



Related to that, I have a couple of requests for ASL:

1. Set SSLHonorCipherOrder On by default.
2. Create documentation for the option for the APACHE_SSLCIPHERSUITE setting.
3. Add an option for APACHE_SSLCIPHERSUITE for the above mentioned SSLCipherSuite that enabled compatibility with older clients, but maintains strong ciphers for modern browsers.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Mon Oct 20, 2014 9:47 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
In the new CentOS 6.6 httpd the protocol "TLSv1" no longer means "TLSv1 and 1.1 and 1.2". You have to explicitly set them. You should change the ASL-setting for CentOS 6.6 servers to "TLSv1 TLSv1.1 TLSv1.2", otherwise your server will ONLY accept the older TLSv1.0 protocol.

Tip: now that CentOS 6.6 is out (in the CR repositories, since a couple of hours) you can restrict the protocols to TLSv1.2 only in mod_ssl. (This breaks compatibility with a lot of older browsers, only use it when that's ok.)

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Fri Oct 31, 2014 2:51 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
faris wrote:
I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.

Right at the bottom of http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.

Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable:

Basically I added a line that says:

Code:
echo 'ssl.use-sslv3 = "disable"'

under the similar line for sslv2 then restarted sw-cp-server

Unfortunately it has had no effect in my tests using openssl s_client -connect domain.tld:8443 -ssl3 which seems to connect just fine. And yes, I really did restart sw-cp-server before testing.

I also get odd results when using -ssl2 -no handshake errors, but I do get a "no peer certificates available" and other odd output.



I still can't get this to work.

Code:
#!/bin/sh

if [ "`id -u`" -ne 0 ]; then
        exit 0
fi

CERT_FILE="/usr/local/psa/admin/conf/httpsd.pem"
CA_FILE="/usr/local/psa/admin/conf/rootchain.pem"
OPENSSL_CNF="/usr/local/psa/admin/conf/openssl.cnf"
CIPHER_FILE="/usr/local/psa/admin/conf/cipher.lst"

if
        grep -q "CERTIFICATE" "$CERT_FILE" \
        || ( echo "US
Virginia
Herndon
Parallels
Parallels Panel
Parallels Panel
info@parallels.com


" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
                        -config "$OPENSSL_CNF" -set_serial `date +%s` -keyout "${CERT_FILE}_" \
                        -out "${CERT_FILE}_" \
                && cat "${CERT_FILE}_" | sed -e 's/^\(-----END.*\)/\1\
/' > "$CERT_FILE" \
                && rm -f "${CERT_FILE}_" ) >&2
then
        echo 'ssl.engine = "enable"'
        echo 'ssl.use-sslv2 = "disable"'
        echo 'ssl.use-sslv3 = "disable"'
        if [ -s "$CIPHER_FILE" ]; then
                echo "ssl.cipher-list = \"`cat $CIPHER_FILE`\""
        fi
        echo "ssl.pemfile = \"$CERT_FILE\""
        if [ -s "$CA_FILE" ]; then
                echo "ssl.ca-file = \"$CA_FILE\""
        fi
fi

case "`uname -s`" in
Linux) hostname=`hostname -f`;;
FreeBSD) hostname=`hostname`;;
*) hostname=;;
esac

if [ -n "$hostname" ]; then
        echo "ssl.plain-redirect = \"https://$hostname:8443/\""


Code:
# service sw-cp-server restart
Restarting SWsoft control panels server... stale pidfile.  [  OK  ]


Code:
]# openssl s_client -connect plesk-10.4.4-hostname.tld:8443 -ssl3 | less
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
(snip snip snip)


Can anybody spot any errors I might have made?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 26 posts ]  Go to page Previous  1, 2

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group