- Article Index
- Nothing below this level
[HOWTO] Disable weak SSL ciphers for PCI Complaince
APPLIES TO:
Plesk 17.x for Linux (Onyx)
Plesk 12.0 for Linux
Plesk 11.0 for Linux
Plesk 11.5 for Linux
Symptoms
Server should meet the following PCI compliance requirements:
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers.
However, these protocols are not supported by Parallels Plesk by default.
PCI compliance requires that you enable the 'TLS v1.1' and 'TLS v1.2' protocols, but they are supported by 'Apache' webserver starting from version '2.2.23'. This particular version of Apache is not included in the default base Linux distributives.
Upgrade the 'openssl' package to version 1.0 and higher.
Enable 'nginx' web server support.
/usr/local/psa/admin/bin/nginxmng --enable
Create a custom domain template for 'nginx':
mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain
Edit the following file:
'/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php',
locate the lines with 'ssl_protocols' and 'ssl_ciphers' directives and replace these lines with the following:
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
Save the file
Reconfigure the web service:
/usr/local/psa/admin/bin/httpdmng --reconfigure-all
To disable SSLv3 for other services managed by Plesk, please follow the instructions provided in the article #123160 [Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback"
Plesk 17.0 and 17.5 (Onyx)
There is a new tool included to simplify part of this task. First check enabled protocols:
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
Next, disable all protocols except those required:
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.1 TLSv1.2"
Then check to see if the change has taken effect:
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2
Syntax: -ssl-protocols "protocols" Sets up SSL/TLS protocols to all services.
0 Comments
Please log in to leave a comment.