Charles (Staff) 0 0

  • PCI Complaince Plesk Disable TLS SSL

    Aug 31, 2017 | None

  • Article Index
  • Nothing below this level

[HOWTO] Disable weak SSL ciphers for PCI Complaince

APPLIES TO:

Plesk 17.x for Linux (Onyx)
Plesk 12.0 for Linux
Plesk 11.0 for Linux
Plesk 11.5 for Linux

Symptoms

Server should meet the following PCI compliance requirements:

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers.

However, these protocols are not supported by Parallels Plesk by default.

PCI compliance requires that you enable the 'TLS v1.1' and 'TLS v1.2' protocols, but they are supported by 'Apache' webserver starting from version '2.2.23'. This particular version of Apache is not included in the default base Linux distributives.

Upgrade the 'openssl' package to version 1.0 and higher.

Enable 'nginx' web server support.

/usr/local/psa/admin/bin/nginxmng --enable

Create a custom domain template for 'nginx':

mkdir -p  /usr/local/psa/admin/conf/templates/custom/domain/
cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain

Edit the following file:

'/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php',

locate the lines with 'ssl_protocols' and 'ssl_ciphers' directives and replace these lines with the following:

ssl_protocols    TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Save the file

Reconfigure the web service:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

To disable SSLv3 for other services managed by Plesk, please follow the instructions provided in the article #123160 [Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback"

Plesk 17.0 and 17.5 (Onyx)

There is a new tool included to simplify part of this task. First check enabled protocols:

# /usr/local/psa/bin/server_pref -s | grep ssl-protocols ssl-protocols: TLSv1 TLSv1.1 TLSv1.2

Next, disable all protocols except those required:

# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.1 TLSv1.2"

Then check to see if the change has taken effect:

# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2

Syntax: -ssl-protocols "protocols" Sets up SSL/TLS protocols to all services.

This article was last modified: Aug. 31, 2017, 9:46 a.m.

0 Comments

Please log in to leave a comment.

Add or change tags.

A comma-separated list of tags.

Close and Refresh

© Webcore Cloud 2015. All rights reserved.

Share

Hacker News

Top