Disable SSLv3 with Plesk?

[faris]

I'm having problems disabling SSLv3 in the apache configuration on a Plesk box. I'm wondering if I'm looking in the wrong place for the config file?

I'm editing /etc/httpd/conf.d/ssl.conf
and I'm adding SSLProtocol all -SSLv2 -SSLv3 at the bottom of the file (commenting out the default settings) and restarting apache.

But when I use one of the better SSL test websites, it tells me "Server has SSL v3 enabled"

I've checked httpd.conf and there's nothing protocol-related in there.
There is no httpsd.conf.

Other changes I mage in ssl.conf do have an effect. It only seems to be SSLv3 that I can't disable.

And if the currently circulating news is accurate then I really need to get this disabled both for the webserver apache and the Plesk nginx ASAP

[prupert]

This is a very secure mod_ssl configuration that we use on most non-ASL machines (which does not allow SSLv3):

Code: Select all

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

If you are using ASL, than this configuration will be overwritten by 'asl -s -f' to the following (which does allow SSLv3):

Code: Select all

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

[Imaging]

On a related note, on a quick test, it appears that if we leave the ASL lines in the ssl conf but comment them out:

#SSLProtocol all -SSLv2
#SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

allows:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

to not be overwritten when asl -s -f is run.

[faris]

Cheers for that. Very useful. Thanks.

I've not had my ssl.conf overwritten by ASL ever - maybe it is a config option that's causing it for you?

On the positive side, I think I see what my problem is.

I was assuming that SSLProtocol was where I was supposed to switch SSLv3 off. But I note that the default SSLCipherSuite also has !SSLv2 and I'm guessing adding a !SSLv3 is what I need to do on that line as well.

I'm experimenting now! Thanks again.

[faris]

Actually, your config may be too secure. I can't view pages in IE11.

Anyway, I do seem to have found a way to disable SSLv3 though, just by using your Protocols with my SSLCipherSuite

Code: Select all

SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:!MD5:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4+RSA:+HIGH:+MEDIUM

The above is from Parallel's KB about passing PCI tests.

[BruceLee]

Hm. Are there any recommendations from Atomicorp regarding poodle?
What is the best and secure but most compatible setting...
...for apache with Plesk
...tortix
...psaproftpd

Thanks

[scott]

>...for apache with Plesk

Available in the -testing channel right now, will be released in ASL 4.0.7. Potential client breakage with older microsoft browsers

> ...tortix

On by default, nothing to do here. Good place to test aforementioned client browsers for compatility

> ...psaproftpd

Blocking issue, many clients do not support enforced TLS only transfers. Likelihood of a major disruption with this. Otherwise TLS as an option is available in ASL 4.0.6 now

Courier IMAP

Available in the -testing channel now, will be released in ASL 4.0.7. Some potential for client breakage

[BruceLee]

thank you very much

[mikeshinn]

Just set APACHE_SSLPROTOCOL in ASL to "TLS only".

[faris]

I assume it doesn't alter the Plesk panel's webserver config?

Can that be added to the wishlist please?

Are the changes it makes documented? e.g. what cipher suites and so on?

(edit: It doesn't seem to work for me - no changes to ssl.conf after setting it to TLS in ASL)

Heads-up though: new openssl packages with TLS_FALLBACK_SCSV and DoS bugfixes should be hitting the centos mirrors any moment now.

[scott]

Not yet, since they moved to nginx it messed up all the paths.

[prupert]

From what I gather the SSL configuration for the following services are not yet hardened by ASL:
- Plesk admin interface
- SMTPS via Qmail or Postfix
- Nginx

Tip: remember to restart your services after having applied the ASL update to activate the more secure SSL configuration.

[Kalimari]

Upgraded to ASL 4.0.7-18.
APACHE_SSLPROTOCOL set to "TLS only".
APACHE_SSLCIPHERSUITE set to "strong".
Restarted Apache.
http://www.ssllabs.com/ssltest, curl & openssl tests still report SSL3 as ENABLED & INSECURE

/etc/httpd/conf.d/ssl.conf appears to have the correct settings:

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

Have tried adding !SSLv2:!SSLv3 to SSLCipherSuite and -SSLv2 -SSLv3 to SSLProtocol, no difference.

Any ideas what else to check? Are others managing to disable SSLv3 via ASL?

Thanks!

[prupert]

Are you using Nginx on Plesk? ASL is not (yet?) hardening the SSL configuration for Nginx.

Edit the following files. Note that file paths may differ depending on Plesk version.

Code: Select all

grep -rin ssl_protocols /usr/local/psa/admin/conf/templates/

Read http://kb.sp.parallels.com/en/123160 and do not forget to run "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" after having modified the template files.

[faris]

This is getting seriously kooky.

On the system I was having problems disabling SSLv3 originally, everything is now fine and changes to ssl.conf have an immediate effect (after restarting apache).

But on another system I'm back to square one. Using exactly the same ssl.conf SSLProtocol, CipherSuite and HonorCiphersuite as the one that passes the main tests and doesn't have SSLv3 enabled, nothing I do seems to disable SSLv3.

Other changes make do seem to be noticed. (e.g. I can go down to a grade B using the qualys-suggested ciphersuite line while I get an A- when using the plesk PCI one).

No nginx involved for me.

There must surely be some other file adding to or subtracting from the configuration in some way I'm not aware of. I'm guessing it is changing the SSLProtocol but not the SSLCiphersSuite

EDIT!!! D'oh! Some moron had added SSLProtocol all -SSLv2 right at the end of httpd.conf which was overriding the setting in ssl.conf. I wonder who did that? [FACEPALM]. Problem solved.