Disable SSLv3 with Plesk?

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Disable SSLv3 with Plesk?

Unread post by faris »

I'm having problems disabling SSLv3 in the apache configuration on a Plesk box. I'm wondering if I'm looking in the wrong place for the config file?

I'm editing /etc/httpd/conf.d/ssl.conf
and I'm adding SSLProtocol all -SSLv2 -SSLv3 at the bottom of the file (commenting out the default settings) and restarting apache.

But when I use one of the better SSL test websites, it tells me "Server has SSL v3 enabled"

I've checked httpd.conf and there's nothing protocol-related in there.
There is no httpsd.conf.

Other changes I mage in ssl.conf do have an effect. It only seems to be SSLv3 that I can't disable.

And if the currently circulating news is accurate then I really need to get this disabled both for the webserver apache and the Plesk nginx ASAP :-(
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

This is a very secure mod_ssl configuration that we use on most non-ASL machines (which does not allow SSLv3):

Code: Select all

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
If you are using ASL, than this configuration will be overwritten by 'asl -s -f' to the following (which does allow SSLv3):

Code: Select all

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Lemonbit Internet Dedicated Server Management
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: Disable SSLv3 with Plesk?

Unread post by Imaging »

On a related note, on a quick test, it appears that if we leave the ASL lines in the ssl conf but comment them out:

#SSLProtocol all -SSLv2
#SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

allows:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

to not be overwritten when asl -s -f is run.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

Cheers for that. Very useful. Thanks.

I've not had my ssl.conf overwritten by ASL ever - maybe it is a config option that's causing it for you?

On the positive side, I think I see what my problem is.

I was assuming that SSLProtocol was where I was supposed to switch SSLv3 off. But I note that the default SSLCipherSuite also has !SSLv2 and I'm guessing adding a !SSLv3 is what I need to do on that line as well.

I'm experimenting now! Thanks again.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

Actually, your config may be too secure. I can't view pages in IE11.

Anyway, I do seem to have found a way to disable SSLv3 though, just by using your Protocols with my SSLCipherSuite

Code: Select all

SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:!MD5:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4+RSA:+HIGH:+MEDIUM
The above is from Parallel's KB about passing PCI tests.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Disable SSLv3 with Plesk?

Unread post by BruceLee »

Hm. Are there any recommendations from Atomicorp regarding poodle?
What is the best and secure but most compatible setting...
...for apache with Plesk
...tortix
...psaproftpd

Thanks
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Disable SSLv3 with Plesk?

Unread post by scott »

>...for apache with Plesk

Available in the -testing channel right now, will be released in ASL 4.0.7. Potential client breakage with older microsoft browsers

> ...tortix

On by default, nothing to do here. Good place to test aforementioned client browsers for compatility

> ...psaproftpd

Blocking issue, many clients do not support enforced TLS only transfers. Likelihood of a major disruption with this. Otherwise TLS as an option is available in ASL 4.0.6 now

Courier IMAP

Available in the -testing channel now, will be released in ASL 4.0.7. Some potential for client breakage
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Disable SSLv3 with Plesk?

Unread post by BruceLee »

thank you very much
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Disable SSLv3 with Plesk?

Unread post by mikeshinn »

Just set APACHE_SSLPROTOCOL in ASL to "TLS only".
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

I assume it doesn't alter the Plesk panel's webserver config?

Can that be added to the wishlist please?

Are the changes it makes documented? e.g. what cipher suites and so on?

(edit: It doesn't seem to work for me - no changes to ssl.conf after setting it to TLS in ASL)

Heads-up though: new openssl packages with TLS_FALLBACK_SCSV and DoS bugfixes should be hitting the centos mirrors any moment now.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Disable SSLv3 with Plesk?

Unread post by scott »

Not yet, since they moved to nginx it messed up all the paths.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

From what I gather the SSL configuration for the following services are not yet hardened by ASL:
- Plesk admin interface
- SMTPS via Qmail or Postfix
- Nginx

Tip: remember to restart your services after having applied the ASL update to activate the more secure SSL configuration.
Lemonbit Internet Dedicated Server Management
Kalimari
Forum Regular
Forum Regular
Posts: 526
Joined: Wed Jan 02, 2008 3:21 pm
Location: United Kingdom

Re: Disable SSLv3 with Plesk?

Unread post by Kalimari »

Upgraded to ASL 4.0.7-18.
APACHE_SSLPROTOCOL set to "TLS only".
APACHE_SSLCIPHERSUITE set to "strong".
Restarted Apache.
http://www.ssllabs.com/ssltest, curl & openssl tests still report SSL3 as ENABLED & INSECURE

/etc/httpd/conf.d/ssl.conf appears to have the correct settings:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

Have tried adding !SSLv2:!SSLv3 to SSLCipherSuite and -SSLv2 -SSLv3 to SSLProtocol, no difference.

Any ideas what else to check? Are others managing to disable SSLv3 via ASL?

Thanks!
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Disable SSLv3 with Plesk?

Unread post by prupert »

Are you using Nginx on Plesk? ASL is not (yet?) hardening the SSL configuration for Nginx.

Edit the following files. Note that file paths may differ depending on Plesk version.

Code: Select all

grep -rin ssl_protocols /usr/local/psa/admin/conf/templates/
Read http://kb.sp.parallels.com/en/123160 and do not forget to run "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" after having modified the template files.
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Disable SSLv3 with Plesk?

Unread post by faris »

This is getting seriously kooky.

On the system I was having problems disabling SSLv3 originally, everything is now fine and changes to ssl.conf have an immediate effect (after restarting apache).

But on another system I'm back to square one. Using exactly the same ssl.conf SSLProtocol, CipherSuite and HonorCiphersuite as the one that passes the main tests and doesn't have SSLv3 enabled, nothing I do seems to disable SSLv3.

Other changes make do seem to be noticed. (e.g. I can go down to a grade B using the qualys-suggested ciphersuite line while I get an A- when using the plesk PCI one).

No nginx involved for me.

There must surely be some other file adding to or subtracting from the configuration in some way I'm not aware of. I'm guessing it is changing the SSLProtocol but not the SSLCiphersSuite

EDIT!!! D'oh! Some moron had added SSLProtocol all -SSLv2 right at the end of httpd.conf which was overriding the setting in ssl.conf. I wonder who did that? [FACEPALM]. Problem solved.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply