Page 2 of 2
Re: Disable SSLv3 with Plesk?
Posted: Thu Oct 16, 2014 4:24 pm
by faris
OK, for completeness, here's what works for me and is what qualys recommends (in a blog post)
Code: Select all
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
This enables FS on a lot of browsers as an added bonus as well.
However, be aware of the following oddity:
Code: Select all
IE Mobile 11 / Win Phone 8.1 Protocol or cipher suite mismatch Fail
And also it doesn't work with IE6 under XP.
To make it more secure still, you could add :!RC4 to the end, as per the qualys blog post, but I find this stops most things from working so I'm not sure what that's all about. You could also try adding :+RC4:RC4 to enable it as a last resort thing, which seems like a reasonable compromise.
Anyway, see
https://community.qualys.com/blogs/secu ... rd-secrecy to decide for yourself.
Note that the syntax being used on that page is slightly different to the one I use, i.e. the cyphersuite is in quotes with spaces as delimiters, as opposed to using no quotes and using : as a delimiter.
Re: Disable SSLv3 with Plesk?
Posted: Thu Oct 16, 2014 4:38 pm
by faris
very slightly OT, but when I configure imap-ssl and pop3d-ssl to Parallel's suggested
Code: Select all
TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
my logs filled up with
Code: Select all
couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Obviously something is trying to use SSLv3 and this is simply logging the event, but it is making the logs unreadable as there are so many of them.
So I'm leaving it enabled for now.....
Re: Disable SSLv3 with Plesk?
Posted: Fri Oct 17, 2014 2:41 pm
by hostingguy
How would you disable SSL v3 for the plesk control panel itself for us folks who are stuck on the 9.5 linux release?
Re: Disable SSLv3 with Plesk?
Posted: Sat Oct 18, 2014 6:05 am
by prupert
hostingguy wrote:How would you disable SSL v3 for the plesk control panel itself for us folks who are stuck on the 9.5 linux release?
That's not nginx, but still Apache right? I believe it is located at /usr/local/psa/admin/conf/httpsd.conf but we run no 9.5 boxes anymore, so I cannot confirm.
For Plesk 11.5 and up:
Code: Select all
echo "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" > /etc/sw-cp-server/conf.d/zz_poodle_mitigation.conf
service sw-cp-server condrestart
Re: Disable SSLv3 with Plesk?
Posted: Sat Oct 18, 2014 9:03 am
by faris
I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.
Right at the bottom of
http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.
Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable:
Basically I added a line that says:
under the similar line for sslv2 then restarted sw-cp-server
Unfortunately it has had no effect in my tests using openssl s_client -connect domain.tld:8443 -ssl3 which seems to connect just fine. And yes, I really did restart sw-cp-server before testing.
I also get odd results when using -ssl2 -no handshake errors, but I do get a "no peer certificates available" and other odd output.
Re: Disable SSLv3 with Plesk?
Posted: Sat Oct 18, 2014 12:38 pm
by prupert
faris wrote:I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.
Right at the bottom of
http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.
Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable
Sure that doesn't do the trick? Check if /etc/sw-cp-server/applications.d/plesk.socket.sh contains a reference to the ssl-conf.sh file. From older forum posts and documentation it is "implicit" that the way to disable SSLv3 for Plesk 10.4.4 is identical to Plesk 11.0. (Unfortunately I could not verify as we do not run any Plesk 10 servers anymore.)
Output should be like this:
Code: Select all
# openssl s_client -connect localhost:8443 -ssl3
CONNECTED(00000003)
***:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
***:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
[...]
Re: Disable SSLv3 with Plesk?
Posted: Sat Oct 18, 2014 12:50 pm
by scott
Another way to test this if you have the atomic build of nmap:
nmap --script ssl-enum-ciphers <IP>
Re: Disable SSLv3 with Plesk?
Posted: Sat Oct 18, 2014 1:02 pm
by prupert
This is cool!
Code: Select all
nmap --script ssl-enum-ciphers localhost -p 8443
While you're at it, also remove the following ciphers from /usr/local/psa/admin/conf/cipher.lst on Plesk 10.4/11.0 servers: ADH-AES256-SHA and ADH-DES-CBC3-SHA. It appears you don't have to do this on Plesk 11.5 or higher.
Re: Disable SSLv3 with Plesk?
Posted: Mon Oct 20, 2014 4:57 am
by prupert
If you want to use the strong recommended SSLCipherSuite but still want to
allow IE on WinXP (yeah, I know...) you can use:
Code: Select all
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:RC4+RSA
I recommend that you use it in combination with SSLHonorCipherOrder to ensure that modern browsers don't use RC4.
Related to that, I have a couple of requests for ASL:
1. Set SSLHonorCipherOrder On by default.
2. Create documentation for the option for the APACHE_SSLCIPHERSUITE setting.
3. Add an option for APACHE_SSLCIPHERSUITE for the above mentioned SSLCipherSuite that enabled compatibility with older clients, but maintains strong ciphers for modern browsers.
Re: Disable SSLv3 with Plesk?
Posted: Mon Oct 20, 2014 9:47 pm
by prupert
In the new CentOS 6.6 httpd the protocol "TLSv1" no longer means "TLSv1 and 1.1 and 1.2". You have to explicitly set them. You should change the ASL-setting for CentOS 6.6 servers to "TLSv1 TLSv1.1 TLSv1.2", otherwise your server will ONLY accept the older TLSv1.0 protocol.
Tip: now that CentOS 6.6 is out (in the CR repositories, since a couple of hours) you can restrict the protocols to TLSv1.2 only in mod_ssl. (This breaks compatibility with a lot of older browsers, only use it when that's ok.)
Re: Disable SSLv3 with Plesk?
Posted: Fri Oct 31, 2014 2:51 pm
by faris
faris wrote:I could do with knowing how to disable SSLv3 in Plesk 10.4.4 too.
Right at the bottom of
http://kb.sp.parallels.com/en/123160 you'll see how to do it for Plesk 11.
Plesk 10 has a similar ssl-conf.sh file with echo 'ssl.use-sslv2 = "disable"' in it, so following the Plesk 11 instructions seems reasonable:
Basically I added a line that says:
under the similar line for sslv2 then restarted sw-cp-server
Unfortunately it has had no effect in my tests using openssl s_client -connect domain.tld:8443 -ssl3 which seems to connect just fine. And yes, I really did restart sw-cp-server before testing.
I also get odd results when using -ssl2 -no handshake errors, but I do get a "no peer certificates available" and other odd output.
I still can't get this to work.
Code: Select all
#!/bin/sh
if [ "`id -u`" -ne 0 ]; then
exit 0
fi
CERT_FILE="/usr/local/psa/admin/conf/httpsd.pem"
CA_FILE="/usr/local/psa/admin/conf/rootchain.pem"
OPENSSL_CNF="/usr/local/psa/admin/conf/openssl.cnf"
CIPHER_FILE="/usr/local/psa/admin/conf/cipher.lst"
if
grep -q "CERTIFICATE" "$CERT_FILE" \
|| ( echo "US
Virginia
Herndon
Parallels
Parallels Panel
Parallels Panel
info@parallels.com
" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-config "$OPENSSL_CNF" -set_serial `date +%s` -keyout "${CERT_FILE}_" \
-out "${CERT_FILE}_" \
&& cat "${CERT_FILE}_" | sed -e 's/^\(-----END.*\)/\1\
/' > "$CERT_FILE" \
&& rm -f "${CERT_FILE}_" ) >&2
then
echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'
echo 'ssl.use-sslv3 = "disable"'
if [ -s "$CIPHER_FILE" ]; then
echo "ssl.cipher-list = \"`cat $CIPHER_FILE`\""
fi
echo "ssl.pemfile = \"$CERT_FILE\""
if [ -s "$CA_FILE" ]; then
echo "ssl.ca-file = \"$CA_FILE\""
fi
fi
case "`uname -s`" in
Linux) hostname=`hostname -f`;;
FreeBSD) hostname=`hostname`;;
*) hostname=;;
esac
if [ -n "$hostname" ]; then
echo "ssl.plain-redirect = \"https://$hostname:8443/\""
Code: Select all
# service sw-cp-server restart
Restarting SWsoft control panels server... stale pidfile. [ OK ]
Code: Select all
]# openssl s_client -connect plesk-10.4.4-hostname.tld:8443 -ssl3 | less
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
(snip snip snip)
Can anybody spot any errors I might have made?