store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Aug 18, 2019 5:34 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Disable SSLv3 with Plesk?
Unread postPosted: Tue Oct 14, 2014 5:44 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I'm having problems disabling SSLv3 in the apache configuration on a Plesk box. I'm wondering if I'm looking in the wrong place for the config file?

I'm editing /etc/httpd/conf.d/ssl.conf
and I'm adding SSLProtocol all -SSLv2 -SSLv3 at the bottom of the file (commenting out the default settings) and restarting apache.

But when I use one of the better SSL test websites, it tells me "Server has SSL v3 enabled"

I've checked httpd.conf and there's nothing protocol-related in there.
There is no httpsd.conf.

Other changes I mage in ssl.conf do have an effect. It only seems to be SSLv3 that I can't disable.

And if the currently circulating news is accurate then I really need to get this disabled both for the webserver apache and the Plesk nginx ASAP :-(

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Tue Oct 14, 2014 6:21 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
This is a very secure mod_ssl configuration that we use on most non-ASL machines (which does not allow SSLv3):
Code:
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4


If you are using ASL, than this configuration will be overwritten by 'asl -s -f' to the following (which does allow SSLv3):
Code:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Tue Oct 14, 2014 11:31 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 318
On a related note, on a quick test, it appears that if we leave the ASL lines in the ssl conf but comment them out:

#SSLProtocol all -SSLv2
#SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

allows:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

to not be overwritten when asl -s -f is run.


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Tue Oct 14, 2014 5:33 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Cheers for that. Very useful. Thanks.

I've not had my ssl.conf overwritten by ASL ever - maybe it is a config option that's causing it for you?

On the positive side, I think I see what my problem is.

I was assuming that SSLProtocol was where I was supposed to switch SSLv3 off. But I note that the default SSLCipherSuite also has !SSLv2 and I'm guessing adding a !SSLv3 is what I need to do on that line as well.

I'm experimenting now! Thanks again.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Tue Oct 14, 2014 5:57 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Actually, your config may be too secure. I can't view pages in IE11.

Anyway, I do seem to have found a way to disable SSLv3 though, just by using your Protocols with my SSLCipherSuite
Code:
SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:!MD5:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4+RSA:+HIGH:+MEDIUM


The above is from Parallel's KB about passing PCI tests.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Wed Oct 15, 2014 4:31 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 879
Location: Germany
Hm. Are there any recommendations from Atomicorp regarding poodle?
What is the best and secure but most compatible setting...
...for apache with Plesk
...tortix
...psaproftpd

Thanks


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Wed Oct 15, 2014 9:00 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
>...for apache with Plesk

Available in the -testing channel right now, will be released in ASL 4.0.7. Potential client breakage with older microsoft browsers

> ...tortix

On by default, nothing to do here. Good place to test aforementioned client browsers for compatility

> ...psaproftpd

Blocking issue, many clients do not support enforced TLS only transfers. Likelihood of a major disruption with this. Otherwise TLS as an option is available in ASL 4.0.6 now

Courier IMAP

Available in the -testing channel now, will be released in ASL 4.0.7. Some potential for client breakage


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Wed Oct 15, 2014 10:54 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 879
Location: Germany
thank you very much


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Wed Oct 15, 2014 5:33 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4081
Location: Chantilly, VA
Just set APACHE_SSLPROTOCOL in ASL to "TLS only".

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Wed Oct 15, 2014 6:25 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I assume it doesn't alter the Plesk panel's webserver config?

Can that be added to the wishlist please?

Are the changes it makes documented? e.g. what cipher suites and so on?

(edit: It doesn't seem to work for me - no changes to ssl.conf after setting it to TLS in ASL)

Heads-up though: new openssl packages with TLS_FALLBACK_SCSV and DoS bugfixes should be hitting the centos mirrors any moment now.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Wed Oct 15, 2014 6:58 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Not yet, since they moved to nginx it messed up all the paths.


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Thu Oct 16, 2014 6:55 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
From what I gather the SSL configuration for the following services are not yet hardened by ASL:
- Plesk admin interface
- SMTPS via Qmail or Postfix
- Nginx

Tip: remember to restart your services after having applied the ASL update to activate the more secure SSL configuration.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Thu Oct 16, 2014 8:43 am 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 524
Location: United Kingdom
Upgraded to ASL 4.0.7-18.
APACHE_SSLPROTOCOL set to "TLS only".
APACHE_SSLCIPHERSUITE set to "strong".
Restarted Apache.
http://www.ssllabs.com/ssltest, curl & openssl tests still report SSL3 as ENABLED & INSECURE

/etc/httpd/conf.d/ssl.conf appears to have the correct settings:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

Have tried adding !SSLv2:!SSLv3 to SSLCipherSuite and -SSLv2 -SSLv3 to SSLProtocol, no difference.

Any ideas what else to check? Are others managing to disable SSLv3 via ASL?

Thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Thu Oct 16, 2014 10:45 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
Are you using Nginx on Plesk? ASL is not (yet?) hardening the SSL configuration for Nginx.

Edit the following files. Note that file paths may differ depending on Plesk version.
Code:
grep -rin ssl_protocols /usr/local/psa/admin/conf/templates/


Read http://kb.sp.parallels.com/en/123160 and do not forget to run "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" after having modified the template files.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Disable SSLv3 with Plesk?
Unread postPosted: Thu Oct 16, 2014 2:46 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
This is getting seriously kooky.

On the system I was having problems disabling SSLv3 originally, everything is now fine and changes to ssl.conf have an immediate effect (after restarting apache).

But on another system I'm back to square one. Using exactly the same ssl.conf SSLProtocol, CipherSuite and HonorCiphersuite as the one that passes the main tests and doesn't have SSLv3 enabled, nothing I do seems to disable SSLv3.

Other changes make do seem to be noticed. (e.g. I can go down to a grade B using the qualys-suggested ciphersuite line while I get an A- when using the plesk PCI one).

No nginx involved for me.

There must surely be some other file adding to or subtracting from the configuration in some way I'm not aware of. I'm guessing it is changing the SSLProtocol but not the SSLCiphersSuite

EDIT!!! D'oh! Some moron had added SSLProtocol all -SSLv2 right at the end of httpd.conf which was overriding the setting in ssl.conf. I wonder who did that? [FACEPALM]. Problem solved.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group