• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Disable SSLv2 for admin panel on port 8443

A

Aaron44126

Guest
I've been looking around everywhere and I haven't been able to figure this out.

I am running Plesk 10.4.4 on Ubuntu Server 10.04.4 (64-bit).

I need to disable SSLv2 for the admin panel running on port 8443.

I've looked at the official documentation (page 5) which says to add some stuff to /opt/psa/admin/conf/cipher.lst and then restart sw-cp-server. Didn't work.

I've looked at other solutions that involve maybe adding a line like this:
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
to /etc/sw-cp-server/applications.d/plesk.conf, and then restart sw-cp-server. Didn't work.

How do I know it didn't work? On another machine, I run this command:

openssl s_client -connect (SERVERNAME):8443 -ssl2

It returns "CONNECTED" with no error, but it should throw an error like "13752:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c:430" if SSLv2 is actually disabled.

Any suggestions appreciated.
 
I've got everything worked out except the control panel itself. I have run the pci_compliance_resolver tool; SSLv2 connections are still accepted on port 8443.

Any other suggestions?
 
make sure that
1. file /usr/local/psa/admin/conf/ssl-conf.sh is included in SSL section at /etc/sw-cp-server/applications.d/plesk.socket.sh
2. execute /usr/local/psa/admin/conf/ssl-conf.sh, output should contain string ssl.use-sslv2 = "disable"

actually SSLv2 is disabled by default, pci_compliance_resolver only provides ciphers list
 
Last edited:
No virtuozo / billing.

I see /opt/psa/admin/conf/ssl-conf.sh being included. It does have the line to disable SSLv2.

I am still able to open an SSLv2 connection using the OpenSSL command-line client.
 
It is too strange. Need additional info:
1. openssl version
2. output of "/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config -p"
 
Last edited:
On client...

$ openssl version
OpenSSL 1.0.1 14 Mar 2012


On server...

$ /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config -p
(output attached)


Thanks.
 

Attachments

  • output.txt
    13.5 KB · Views: 3
In attached file there is no SSL definition for 8443 port, i.e. it process unsecured connections ...

Correct SSL listener should look like (in minimal):
$SERVER["socket"] == ":8443" {
...
ssl.engine = "enable"
ssl.pemfile = "/opt/psa/admin/conf/httpsd.pem"
...
}
 
Hmm.

I followed how that output is generated. In /etc/sw-cp-server/applications.d/plesk.socket.sh on line 88, I see:

if [ $SSL = "yes" ] ; then
cat <<EOF
\$HTTP["useragent"] =~ ".*MSIE [456]\..*" {
server.max-keep-alive-requests = 0
}
include_shell "/opt/psa/admin/conf/ssl-conf.sh"
EOF
fi

(The file /opt/psa/admin/conf/ssl-conf.sh writes out the config that you said was missing.)

This does not appear to be happening (the if statement failed) --- the blocks above and below are firing because I see their output in the result. Nonetheless, the server accepts HTTPS connections and not regular HTTP connections when connecting via port 8443, I just double-checked in my browser.

Investigating why the "if" statement fails, I can't figure that out at a glance. I see in /etc/sw-cp-server/applications.d/plesk.conf, the lines:

include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8443 ssl"
include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8880"
include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8443 ipv6 ssl"
include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8880 ipv6"

The "ssl" parameter is supposed to be caught at the top of plesk.socket.sh and set the variable "SSL" to "yes" ... line 22:

if [ "$1" = "ssl" ] ; then
SSL="yes"
shift
fi
 
Your target is /opt/psa/admin/conf/ssl-conf.sh, examine it.
Last should generate output like:
----------------------------------------

root@wtf.com:/etc/sw-cp-server/applications.d# sh /opt/psa/admin/conf/ssl-conf.sh
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC3-MD5:RC4-SHA:RC4-MD5"
ssl.pemfile = "/opt/psa/admin/conf/httpsd.pem"
ssl.plain-redirect = "https://wtf.com:8443/"
root@wtf.com:/etc/sw-cp-server/applications.d#
 
You must log in or register to reply here.

Similar threads

andreas.scherer
Issue Apache and sw-cp-server uses the same ports (8443)
Replies
2
Views
915
andreas.scherer
andreas.scherer
J
Resolved Can't login at Plesk admin panel (Plesk Onyx 17.0.17)
Replies
6
Views
10K
JVG
J
M
Issue Can't open Port 25. Please help
Replies
2
Views
4K
mhogue
M
H
Question I want to use my original domain and not get SSL warnings when accessing the control panel.
Replies
4
Views
2K
Hideki.Oride
H
C
Question Strange SNI (?) issue related to IPv6 (?)
Replies
2
Views
2K
Carbon Dioxide
C
Back
Top