• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Totally remove SSLv3 from server

Pascal_Netenvie

Pascal_Netenvie

Regular Pleskian
Hi,
Despite i followed different KB that explain how to disable SSLv3 i still have a security breach for Poodle on my server.
According to Qualys SSL test the problem exist for handshake from IE6 / XP.
Apparently in this case Secure authentification fall back to SSLv3 ...
How can i solve that ?

Regards.

This server run on Plesk 12.0.18 and i already fixed these files :

Code: 
/etc/sw-cp-server/conf.d/plesk.conf
/etc/apache2/mods-enabled/ssl.conf
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
/etc/postfix/main.cf
/etc/sw-cp-server/config
/usr/local/psa/admin/conf/ssl-conf.sh

And executed this :
Code: 
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/server/nginxVhosts.php
 
If i look into /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php and other nginx config files, i see that :
PHP: 
<?php if (get_param('disablesslv3')): ?>
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
    ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>

Can it come from that ?
 
Yes it was that.
Replaced
Code: 
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
by
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

and now it is ok.
 
@Pascal_Netenvie

Your answer solves the issue partially.

In essence, securing against Poodle is a combination of disabling SSLv3 (and preferably all SSL versions) and applying the proper cipher suites.

After all, some clients can still switch to SSL and if a specific application on Plesk (being a Plesk componet/package or even an application installed by a customer) supports SSLv3 (there are a lot of config files to be checked for SSLv3 enablement), you are still vulnerable.

In short, there is no easy solution, but the best approach is to run the command (from SSH): pci_compliance_resolver --enable

Note that this is the "best approach", not the "best solution", even with before mentioned command line tool there are some cipher suite related issues (that are minor, by the way).

Hope the above helps a bit

Regards....
 
You must log in or register to reply here.

Similar threads

B
Resolved How do I enable FTPS?
Replies
10
Views
1K
Kaspar
K
A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
738
Alban Staehli
A
J
Issue Error: configuration files for the Apache web server were not created
Replies
1
Views
572
Raul A.
R
R
Issue Error: New configuration files for the Apache web server were not created due to the errors in configuration templates:
Replies
0
Views
851
reirod
R
R
Issue Cannot restart NGINX
Replies
1
Views
528
Raul A.
R
Back
Top