Disabling weak SSL ciphers, sites are down

[M.J. Koornstra]

Hi All,

After succesfully changing to a fresh created dhparam pem and a reissue of my certificate all was well.
A couple of other things needed to be done so I followed the article: http://kb.odin.com/en/120083.

nginxDomainVirtualHost.php was already present so the only thing I did was adding the ciphers I got from another site (ciphers that also gave me XP and IE8 support etc.)

After executing the httpdmng --reconfigure-all command I instantly got a error message:

Details: (timestamp) ERR [util_exec] proc_close() failed
(timestamp) ERR [panel] Apache config (14364042360.16209100) generation failed:
Template_Exception: nginx: [emerg] unknown directive "HIGH:!aNULL:!MD5"
in /etc/nginx/plesk.conf.d/vhost/DOMAIN.ABC.conf:19
nginx: configuration file /etc/nginx/nginx.conf test failed

File: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
nginx: [emerg] unknown directive "HIGH:!aNULL:!MD5"
in /etc/nginx/plesk.conf.d/vhost/DOMAIN.ABC.conf:19
nginx: configuration file /etc/nginx/nginx.conf test failed

I'm at a complete loss here. Why are "HIGH:!aNULL:!MD5" unknown directives? How can I merge:

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES128-SHA256HE-RSA-AES256-SHAHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHAES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;HIGH:!aNULL:!MD5;

into these these automatically created @domainname.conf files of all my sites without getting this error.
I'm hosting 5 sites, all 5 sites are down now because of the missing conf files.

I really hope someone can help me out here.

Thanks in advance,

Martijn

 

[IgorG]

What exact line 19 in your file /etc/nginx/plesk.conf.d/vhost/DOMAIN.ABC.conf ?

 

[M.J. Koornstra]

Line 19:

ssl_ciphers "HIGH:!aNULL:!MD5"

 

[IgorG]

Try to remove " symbols there.

 

[M.J. Koornstra]

But where do I need to remove it. This file is being created/generated automatically.

If I know where the source is, I could remove the ".

Removing the " in the ./vhost/domain.abc.conf will not work. The file will be overwritten with --reconfigure-all.

 

[IgorG]

On my default test Plesk server I see that there are no any " symbols in this file:

# grep ssl_ciphers /etc/nginx/plesk.conf.d/vhosts/ppu12-0.demo.pp.plesk.ru.conf
ssl_ciphers HIGH:!aNULL:!MD5;

 

[M.J. Koornstra]

And that's my problem. I do not know which template file creates these " in my file at the same location as yours.

 

[IgorG]

And that's my problem. I do not know which template file creates these " in my file at the same location as yours.

Look at point 3 in the mentioned KB article.

 

[M.J. Koornstra]

I did. This location and file was already present. I did a append of all the ciphers.
Apparently nginxDomainVirtualHost.php isn't used to fill the .conf

I reverted back to the original nginxDomainVirtualHost.php, problem remains. There are no " in the ssl_ciphers line.

 

[M.J. Koornstra]

So I took a couple hours of sleep and rechecked the line I wrote. Well, big typo...

:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;HIGH:!aNULL:!MD5;

All's well that ends well, SSLLabs results:

Tnx Igor for helping me out this morning, you can close the thread.