• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Changing Cipher Suite - Sweet32 PCI Compliance

S

sja

New Pleskian
Hi there,

I'm new to this and am trying to ensure our server is PCI compliant.

One element we're not passing is on port 8443 "Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32".

So, I'd like to change the cipher suite we use.

I found this page: Command Line Reference, Plesk 12.5 for Linux

On it is this command:
Code: 
plesk bin server_pref -u -ssl-ciphers 'HIGH:!aNULL:!MD5'

But I'm unclear on what ciphers that actually sets. I'd like to set
Code: 
plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'

But I'd like to know what the current set is incase I have any issues.

Can anyone help point me to which file these commands are actually editing?

Many thanks
 
sja said:
Can anyone help point me to which file these commands are actually editing?
Click to expand...
/etc/nginx/conf.d/ssl.conf

https://kb.plesk.com/en/128733

  • How can I set up my own TLS ciphers list for NGINX?
Answer: You should use sslmng utility from Plesk to set up available protocols and TLS ciphers list after you enabled HTTP/2. For example if you want to use exactly the same ciphers list as Plesk does, the command will be the following:

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

Configuration will be stored in /etc/nginx/conf.d/ssl.conf file. We do not recommend to edit this file manually.
Click to expand...
 
How can we do the same for port 21, 25, 993 and 995 ?

Port
Protocol Service
993
TCP
imap
T itle
SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
Synopsis:
The remote service supports the use of 64-bit block ciphers.
 
I have managed to pass PCI compliance using the below conf for different ports other than port 443

Dovecot

/etc/dovecot/conf.d/11-plesk-security-ssl.conf


ssl_cipher_list = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
ssl_protocols = TLSv1.1 TLSv1.2
ssl_dh_parameters_length = 2048
Click to expand...


/etc/postfix/main.cf

smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
Click to expand...

FTP service

/etc/proftpd.d/ssl.conf

<IfModule mod_tls.c>
TLSCipherSuite EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
TLSProtocol TLSv1.1 TLSv1.2
</IfModule>
Click to expand...

IMAPS and POPS

/etc/dovecot/conf.d/11-plesk-security-ssl.conf

ssl_cipher_list = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
ssl_protocols = TLSv1.1 TLSv1.2
ssl_dh_parameters_length = 2048
Click to expand...
 
You must log in or register to reply here.

Similar threads

A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
736
Alban Staehli
A
Polli
Issue Getting DANE working
2
Replies
33
Views
4K
Polli
Polli
D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
2K
moswak
M
Back
Top