Disable SSLv3 with Plesk?

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

OK, for completeness, here's what works for me and is what qualys recommends (in a blog post)

Code: Select all

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
This enables FS on a lot of browsers as an added bonus as well.

However, be aware of the following oddity:

Code: Select all

IE Mobile 11 / Win Phone 8.1  Protocol or cipher suite mismatch  Fail
And also it doesn't work with IE6 under XP.

To make it more secure still, you could add :!RC4 to the end, as per the qualys blog post, but I find this stops most things from working so I'm not sure what that's all about. You could also try adding :+RC4:RC4 to enable it as a last resort thing, which seems like a reasonable compromise.

Anyway, see https://community.qualys.com/blogs/secu ... rd-secrecy to decide for yourself.

Note that the syntax being used on that page is slightly different to the one I use, i.e. the cyphersuite is in quotes with spaces as delimiters, as opposed to using no quotes and using : as a delimiter.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

very slightly OT, but when I configure imap-ssl and pop3d-ssl to Parallel's suggested

Code: Select all

TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
my logs filled up with

Code: Select all

couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Obviously something is trying to use SSLv3 and this is simply logging the event, but it is making the logs unreadable as there are so many of them.

So I'm leaving it enabled for now.....
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: Disable SSLv3 with Plesk?

Unread post by hostingguy »

How would you disable SSL v3 for the plesk control panel itself for us folks who are stuck on the 9.5 linux release?
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

hostingguy wrote:How would you disable SSL v3 for the plesk control panel itself for us folks who are stuck on the 9.5 linux release?
That's not nginx, but still Apache right? I believe it is located at /usr/local/psa/admin/conf/httpsd.conf but we run no 9.5 boxes anymore, so I cannot confirm.

For Plesk 11.5 and up:

Code: Select all

echo "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" > /etc/sw-cp-server/conf.d/zz_poodle_mitigation.conf
service sw-cp-server condrestart
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.

Right at the bottom of http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.

Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable:

Basically I added a line that says:

Code: Select all

echo 'ssl.use-sslv3 = "disable"' 
under the similar line for sslv2 then restarted sw-cp-server

Unfortunately it has had no effect in my tests using openssl s_client -connect domain.tld:8443 -ssl3 which seems to connect just fine. And yes, I really did restart sw-cp-server before testing.

I also get odd results when using -ssl2 -no handshake errors, but I do get a "no peer certificates available" and other odd output.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

faris wrote:I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.

Right at the bottom of http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.

Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable
Sure that doesn't do the trick? Check if /etc/sw-cp-server/applications.d/plesk.socket.sh contains a reference to the ssl-conf.sh file. From older forum posts and documentation it is "implicit" that the way to disable SSLv3 for Plesk 10.4.4 is identical to Plesk 11.0. (Unfortunately I could not verify as we do not run any Plesk 10 servers anymore.)

Output should be like this:

Code: Select all

# openssl s_client -connect localhost:8443 -ssl3
CONNECTED(00000003)
***:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
***:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
[...]
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Disable SSLv3 with Plesk?

Unread post by scott »

Another way to test this if you have the atomic build of nmap:

nmap --script ssl-enum-ciphers <IP>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

This is cool!

Code: Select all

nmap --script ssl-enum-ciphers localhost -p 8443
While you're at it, also remove the following ciphers from /usr/local/psa/admin/conf/cipher.lst on Plesk 10.4/11.0 servers: ADH-AES256-SHA and ADH-DES-CBC3-SHA. It appears you don't have to do this on Plesk 11.5 or higher.
Lemonbit Internet Dedicated Server Management
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

If you want to use the strong recommended SSLCipherSuite but still want to allow IE on WinXP (yeah, I know...) you can use:

Code: Select all

SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:RC4+RSA
I recommend that you use it in combination with SSLHonorCipherOrder to ensure that modern browsers don't use RC4.

Code: Select all

SSLHonorCipherOrder On

Related to that, I have a couple of requests for ASL:

1. Set SSLHonorCipherOrder On by default.
2. Create documentation for the option for the APACHE_SSLCIPHERSUITE setting.
3. Add an option for APACHE_SSLCIPHERSUITE for the above mentioned SSLCipherSuite that enabled compatibility with older clients, but maintains strong ciphers for modern browsers.
Lemonbit Internet Dedicated Server Management
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

In the new CentOS 6.6 httpd the protocol "TLSv1" no longer means "TLSv1 and 1.1 and 1.2". You have to explicitly set them. You should change the ASL-setting for CentOS 6.6 servers to "TLSv1 TLSv1.1 TLSv1.2", otherwise your server will ONLY accept the older TLSv1.0 protocol.

Tip: now that CentOS 6.6 is out (in the CR repositories, since a couple of hours) you can restrict the protocols to TLSv1.2 only in mod_ssl. (This breaks compatibility with a lot of older browsers, only use it when that's ok.)
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

faris wrote:I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.

Right at the bottom of http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.

Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable:

Basically I added a line that says:

Code: Select all

echo 'ssl.use-sslv3 = "disable"' 
under the similar line for sslv2 then restarted sw-cp-server

Unfortunately it has had no effect in my tests using openssl s_client -connect domain.tld:8443 -ssl3 which seems to connect just fine. And yes, I really did restart sw-cp-server before testing.

I also get odd results when using -ssl2 -no handshake errors, but I do get a "no peer certificates available" and other odd output.

I still can't get this to work.

Code: Select all

#!/bin/sh

if [ "`id -u`" -ne 0 ]; then
        exit 0
fi

CERT_FILE="/usr/local/psa/admin/conf/httpsd.pem"
CA_FILE="/usr/local/psa/admin/conf/rootchain.pem"
OPENSSL_CNF="/usr/local/psa/admin/conf/openssl.cnf"
CIPHER_FILE="/usr/local/psa/admin/conf/cipher.lst"

if
        grep -q "CERTIFICATE" "$CERT_FILE" \
        || ( echo "US
Virginia
Herndon
Parallels
Parallels Panel
Parallels Panel
info@parallels.com


" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
                        -config "$OPENSSL_CNF" -set_serial `date +%s` -keyout "${CERT_FILE}_" \
                        -out "${CERT_FILE}_" \
                && cat "${CERT_FILE}_" | sed -e 's/^\(-----END.*\)/\1\
/' > "$CERT_FILE" \
                && rm -f "${CERT_FILE}_" ) >&2
then
        echo 'ssl.engine = "enable"'
        echo 'ssl.use-sslv2 = "disable"'
        echo 'ssl.use-sslv3 = "disable"'
        if [ -s "$CIPHER_FILE" ]; then
                echo "ssl.cipher-list = \"`cat $CIPHER_FILE`\""
        fi
        echo "ssl.pemfile = \"$CERT_FILE\""
        if [ -s "$CA_FILE" ]; then
                echo "ssl.ca-file = \"$CA_FILE\""
        fi
fi

case "`uname -s`" in
Linux) hostname=`hostname -f`;;
FreeBSD) hostname=`hostname`;;
*) hostname=;;
esac

if [ -n "$hostname" ]; then
        echo "ssl.plain-redirect = \"https://$hostname:8443/\""

Code: Select all

# service sw-cp-server restart
Restarting SWsoft control panels server... stale pidfile.  [  OK  ]

Code: Select all

]# openssl s_client -connect plesk-10.4.4-hostname.tld:8443 -ssl3 | less
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
(snip snip snip)
Can anybody spot any errors I might have made?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply