• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Disabling SSL2.0 for PCI Compliance

G

GavinDixon

Guest
Is it possible on a Windows IIS6 Server to disable ssl2.0 and Plesk still function correctly?

We have had a security test ran on our website in order to make this PCI Compliant, and have had the following vulnerability raised by our Security Vendor - SecurityMetrics.


Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:p/A:N/I:N/B:N)
Click to expand...

Our web hosting company have issued this e-mail to us:

Hello,


Plesk uses SSLv2. We have tested this by disabling SSV2 in registry. Plesk uses SSLV2 this has been confirmed. We could not find a way to disable SSLV2 and have SSLV3 to be used by plesk instead. There are ways to make plesk use SSLV3 on plesk using apache webserver, but we could not find how that can be done on plesk which uses IIS.

Please do let us know, if you have any further queries.

Thank You
Adam
Technical Support Team
Dataflame
Click to expand...

They are saying that because we are on a windows hosting package and not a linux package then they cannot disable ssl2.0 ask plesk requires this to work?

Is this correct?
 
I see it is over a year since this was originally posted. But does anyone have a solution to this?

I am in the same position - for PCI compliance I need to disable SSL 2.0. Can Plesk handle SSL 2.0 being disabled? And can anyone provide some guidance on doing this?
Remember this is related to a WINDOWS server running IIS 6.

Many thanks.
 
Hi,
Many thanks for your reply. I have come across a few articles describing how to disable SSL 2.0, but thanks for your link. That site also has a useful post about disabling weak ciphers, which is also required for PCI complaince, so that's great to have!

The aim of my question though was really to check that Plesk will still work OK after I disable SSL 2.0?

Thanks
 
I suppose that Plesk will work fine. But you can check it and let us know how it goes on.
 
You must log in or register to reply here.

Similar threads

S
Question Server-side php components as well as plesk components
Replies
2
Views
711
sbservice.es
S
Hangover2
Question Disabled "Hosting performance settings management" is ignored when using .user.ini
Replies
3
Views
998
Aleksei Fedorov
A
Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
9
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
I
Input Allow us to disable ads that are being placed all over the panel
Replies
2
Views
1K
keithD-VF
K
J
Resolved Unable to send & receive emails after Dist Upgrade & DNS changes
Replies
2
Views
1K
Johnny9977
J
Back
Top