Page 1 of 2

Disable SSLv3 with Plesk?

Posted: Tue Oct 14, 2014 5:44 am
by faris
I'm having problems disabling SSLv3 in the apache configuration on a Plesk box. I'm wondering if I'm looking in the wrong place for the config file?

I'm editing /etc/httpd/conf.d/ssl.conf
and I'm adding SSLProtocol all -SSLv2 -SSLv3 at the bottom of the file (commenting out the default settings) and restarting apache.

But when I use one of the better SSL test websites, it tells me "Server has SSL v3 enabled"

I've checked httpd.conf and there's nothing protocol-related in there.
There is no httpsd.conf.

Other changes I mage in ssl.conf do have an effect. It only seems to be SSLv3 that I can't disable.

And if the currently circulating news is accurate then I really need to get this disabled both for the webserver apache and the Plesk nginx ASAP :-(

Re: Disable SSLv3 with Plesk?

Posted: Tue Oct 14, 2014 6:21 am
by prupert
This is a very secure mod_ssl configuration that we use on most non-ASL machines (which does not allow SSLv3):

Code: Select all

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
If you are using ASL, than this configuration will be overwritten by 'asl -s -f' to the following (which does allow SSLv3):

Code: Select all

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

Re: Disable SSLv3 with Plesk?

Posted: Tue Oct 14, 2014 11:31 am
by Imaging
On a related note, on a quick test, it appears that if we leave the ASL lines in the ssl conf but comment them out:

#SSLProtocol all -SSLv2
#SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

allows:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

to not be overwritten when asl -s -f is run.

Re: Disable SSLv3 with Plesk?

Posted: Tue Oct 14, 2014 5:33 pm
by faris
Cheers for that. Very useful. Thanks.

I've not had my ssl.conf overwritten by ASL ever - maybe it is a config option that's causing it for you?

On the positive side, I think I see what my problem is.

I was assuming that SSLProtocol was where I was supposed to switch SSLv3 off. But I note that the default SSLCipherSuite also has !SSLv2 and I'm guessing adding a !SSLv3 is what I need to do on that line as well.

I'm experimenting now! Thanks again.

Re: Disable SSLv3 with Plesk?

Posted: Tue Oct 14, 2014 5:57 pm
by faris
Actually, your config may be too secure. I can't view pages in IE11.

Anyway, I do seem to have found a way to disable SSLv3 though, just by using your Protocols with my SSLCipherSuite

Code: Select all

SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:!MD5:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4+RSA:+HIGH:+MEDIUM
The above is from Parallel's KB about passing PCI tests.

Re: Disable SSLv3 with Plesk?

Posted: Wed Oct 15, 2014 4:31 am
by BruceLee
Hm. Are there any recommendations from Atomicorp regarding poodle?
What is the best and secure but most compatible setting...
...for apache with Plesk
...tortix
...psaproftpd

Thanks

Re: Disable SSLv3 with Plesk?

Posted: Wed Oct 15, 2014 9:00 am
by scott
>...for apache with Plesk

Available in the -testing channel right now, will be released in ASL 4.0.7. Potential client breakage with older microsoft browsers

> ...tortix

On by default, nothing to do here. Good place to test aforementioned client browsers for compatility

> ...psaproftpd

Blocking issue, many clients do not support enforced TLS only transfers. Likelihood of a major disruption with this. Otherwise TLS as an option is available in ASL 4.0.6 now

Courier IMAP

Available in the -testing channel now, will be released in ASL 4.0.7. Some potential for client breakage

Re: Disable SSLv3 with Plesk?

Posted: Wed Oct 15, 2014 10:54 am
by BruceLee
thank you very much

Re: Disable SSLv3 with Plesk?

Posted: Wed Oct 15, 2014 5:33 pm
by mikeshinn
Just set APACHE_SSLPROTOCOL in ASL to "TLS only".

Re: Disable SSLv3 with Plesk?

Posted: Wed Oct 15, 2014 6:25 pm
by faris
I assume it doesn't alter the Plesk panel's webserver config?

Can that be added to the wishlist please?

Are the changes it makes documented? e.g. what cipher suites and so on?

(edit: It doesn't seem to work for me - no changes to ssl.conf after setting it to TLS in ASL)

Heads-up though: new openssl packages with TLS_FALLBACK_SCSV and DoS bugfixes should be hitting the centos mirrors any moment now.

Re: Disable SSLv3 with Plesk?

Posted: Wed Oct 15, 2014 6:58 pm
by scott
Not yet, since they moved to nginx it messed up all the paths.

Re: Disable SSLv3 with Plesk?

Posted: Thu Oct 16, 2014 6:55 am
by prupert
From what I gather the SSL configuration for the following services are not yet hardened by ASL:
- Plesk admin interface
- SMTPS via Qmail or Postfix
- Nginx

Tip: remember to restart your services after having applied the ASL update to activate the more secure SSL configuration.

Re: Disable SSLv3 with Plesk?

Posted: Thu Oct 16, 2014 8:43 am
by Kalimari
Upgraded to ASL 4.0.7-18.
APACHE_SSLPROTOCOL set to "TLS only".
APACHE_SSLCIPHERSUITE set to "strong".
Restarted Apache.
http://www.ssllabs.com/ssltest, curl & openssl tests still report SSL3 as ENABLED & INSECURE

/etc/httpd/conf.d/ssl.conf appears to have the correct settings:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

Have tried adding !SSLv2:!SSLv3 to SSLCipherSuite and -SSLv2 -SSLv3 to SSLProtocol, no difference.

Any ideas what else to check? Are others managing to disable SSLv3 via ASL?

Thanks!

Re: Disable SSLv3 with Plesk?

Posted: Thu Oct 16, 2014 10:45 am
by prupert
Are you using Nginx on Plesk? ASL is not (yet?) hardening the SSL configuration for Nginx.

Edit the following files. Note that file paths may differ depending on Plesk version.

Code: Select all

grep -rin ssl_protocols /usr/local/psa/admin/conf/templates/
Read http://kb.sp.parallels.com/en/123160 and do not forget to run "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" after having modified the template files.

Re: Disable SSLv3 with Plesk?

Posted: Thu Oct 16, 2014 2:46 pm
by faris
This is getting seriously kooky.

On the system I was having problems disabling SSLv3 originally, everything is now fine and changes to ssl.conf have an immediate effect (after restarting apache).

But on another system I'm back to square one. Using exactly the same ssl.conf SSLProtocol, CipherSuite and HonorCiphersuite as the one that passes the main tests and doesn't have SSLv3 enabled, nothing I do seems to disable SSLv3.

Other changes make do seem to be noticed. (e.g. I can go down to a grade B using the qualys-suggested ciphersuite line while I get an A- when using the plesk PCI one).

No nginx involved for me.

There must surely be some other file adding to or subtracting from the configuration in some way I'm not aware of. I'm guessing it is changing the SSLProtocol but not the SSLCiphersSuite

EDIT!!! D'oh! Some moron had added SSLProtocol all -SSLv2 right at the end of httpd.conf which was overriding the setting in ssl.conf. I wonder who did that? [FACEPALM]. Problem solved.