Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My

[Mark12345]

I have a 1and1 dedicated server that use to serve my own website. I'm trying to make my site compliant to all the new security rules imposed by PayPal. I'm no expert here so help is needed. here is my site test results:

• www.bagtoss.com (74.208.73.57)

Currently I get an A grade but I can get an A+ and PCI compliance by removing TLSv1.1 protocol. But my gut says that would remove a lot of important devices. I once had a problem with iphones connecting to my site so I disabled IPv6. I definitely need most devices to connect to my site so I want to enable TLSv1.1 but eliminate non-compliant ciphers.

1) First off, which files below do I need to modify? I'm currently modifying the nginx and httpd file but I have no clue why.

a) /etc/httpd/conf.d/ssl.conf
b) /etc/nginx/conf.d/ssl.conf
c) /etc/sw-cp-server/conf.d/ssl.conf
d) /etc/proftpd.d/ssl.conf​

2) should these files have the same cipher list? Please explain. Also, in the httpd file there seems to be two locations for "SSLCipherSuite " settings. Should these have the same settings? For example, at the bottom of the file, mine has

• <IfModule mod_ssl.c>SSLCipherSuite HIGH:!aNULL:!MD5</IfModule>

3) What is the best way to modify these files? Is there an SSH command that modifies all of these? I've used these commands to modify the protocols and to run a PCI compliance resolver (perhaps a little redundant).

# plesk bin server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'
# plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"
# plesk sbin pci_compliance_resolver --enable

4) Do I have to add/update the following files with protocols and ciphers? Please explain.

• /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
• /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
• /usr/local/psa/admin/conf/templates/custom/server/nginxVhosts.php

5) what is a good cipher list that eliminates non-compliant ciphers? Note, when I use "DEFAULT" for the httpd file the server will not restart. Is this because of the protocols selected?

Anyways, I would really appreciate the help. I feel like an extension should be made that can adjust these settings based on what the user wants. pretty damn confusing.

References:

• How to properly configure your nginx for TLS – Marko Vuksanovic – Medium
• Configuring Apache, Nginx, and OpenSSL for Forward Secrecy | Qualys Blog
• ALERT: Disabling support for 3DES Cipher Suites in TLS connections to eliminate a vulnerability - Watson
• Tune Plesk to Meet PCI DSS on Linux
• /docs/man1.0.2/apps/ciphers.html
• mod_ssl - Apache HTTP Server Version 2.4
• SSL SHA-256 / TLS 1.2- & HTTP/1.1
• How to enable/disable particular TLS version in Plesk on Linux?
• How to pass PCI compliance scan?
  
• PCI DSS Compliance
• SSL Labs Grading 2018 | Qualys Community

 

[Mark12345]

Any input would be appreciated.
@UFHH01

 

[learning_curve]

If it's of any help, we run a cloud server with 1and1 and Plesk (as per our signature). We haven't had any big problems achieving what you're looking to do. You have posted some reference docs already and this one may be of some use too.

We changed many things, e.g. we binned TLSv1.1 because it's old now and has already been depreciated by several areas that we connect with / relate too. Currently, we're TLSv1.2 and TLSv1.3 (draft) only. We did modify all the files that you listed under 1) though and with regard to httpd in 2) Our setup uses "SSLCipherSuite " settings (sic) within the main .conf data. The associated modules (including the example you've posted) are all # commented out. This may be slightly irrelevant, as the nginx ssl.conf setup is what's referenced (assuming that you've setup Plesk like ours and are using nginx as a proxy etc). In terms of 3) There's a few different options and there are lots of posts on this forum on this subject if you search thoroughly. 4) We didn't change any of these (and can't see why you would need to) Finally for 5) you'll find lots of 'lists' both on this forum and externally. Once you've finalized your TLSv?? decision, then go and search from there. You may also think about upgrading CentOS and Apache first, if those in your sig are applicable to the domain you've posted about?

FWIW we cannot ever imagine a Plesk extension being made to do this, as there's too many potential variables and thus lots of collateral damage that may occur as a result, if/when all types of different changes were made at the same time.

 

[Mark12345]

... we run a cloud server with 1and1 and Plesk ...

Thank you for the link and taking time to respond to my questions. I'm also with 1and1. My site is eCommerce so I don't know if this differs from a user perspective to a cloud server i.e. I don't want to cut a large user base out by eliminating a protocol. Like I mentioned, if I eliminate TLS v1.1, I get an A+. But what happens to accessibility? I understand with my settings currently that people using XP will not be able to access my site (or so I've read). I just don't want to eliminate say Apple tablet users, for example.

... think about upgrading CentOS and Apache first ...

The upgrade from CentOS 6.x to 7.x does not seem simple.

 

[learning_curve]

My site is eCommerce so I don't know if this differs from a user perspective to a cloud server i.e. I don't want to cut a large user base out by eliminating a protocol. Like I mentioned, if I eliminate TLS v1.1, I get an A+. But what happens to accessibility? I understand with my settings currently that people using XP will not be able to access my site (or so I've read). I just don't want to eliminate say Apple tablet users, for example

Yes we saw that you mentioned 1and1 in your opening post, which is one of the reasons why we responded (because we do too). We also run several eCommerce setups and some of these have financial connections that have already depreciated TLSv1.1. We have no doubt, excluded some 'potential' users by removing TLSv1.1 but if they were users that were still on Windows XP for example, then they have bigger issues than being excluded from any of our domains Had we retained it, they could not have paid online anyway by default. We have A+ on Qualys & HT Bridge but FYI the list of exclusions given is:

Android 2.3.7   No SNI 2       
Android 4.0.4    
Android 4.1.1    
Android 4.2.2   
Android 4.3    
Baidu Jan 2015    
IE 6 / XP   No FS 1      No SNI 2       
IE 7 / Vista    
IE 8 / XP   No FS 1      No SNI 2       
IE 8-10 / Win 7  R       
IE 10 / Win Phone 8.0    
Java 6u45   No SNI 2       
Java 7u25    
OpenSSL 0.9.8y    
Safari 5.1.9 / OS X 10.6.8    
Safari 6.0.4 / OS X 10.8.4

Quite happy with these being excluded for our setup / type of customers

The upgrade from CentOS 6.x to 7.x does not seem simple.

That's another thread really but again, there's lots of data / information out there on how to do this properly.

 

[Mark12345]

..... Quite happy with these being excluded for our setup / type of customers

Thank you for your thoughtful reply. This certainly helps . How did you determine your exclusion list? Did you use a paid service like Selenium and JavaScript testing on 1100+ Desktop and Mobile Browsers. ?

Does the server log attempts by unsupported protocols? Just curious if a % could be added to this discussion, for example: 1% of users make up your exclusion list. Certainly 1% is probably not a big deal. But if the number was 10%, then that would be.

 

[learning_curve]

Hi @Mark12345
It's worth us pointing out that we overhauled our server setup since our last post on this thread. We updated OpenSSL and Plesk and removed TLSv1.3 (draft). Hence we are now running TLSv1.2 only. We'll re-work this again soon, once TLSv1.3 is finally, formally released. The TLSv1.3 (draft) removal doesn't have any effect on our Qualys & HT Bridge ratings, as there's a few other things involved / required besides which TLSv*** we are supporting.

To answer your questions: We don't use any paid services like the one you mention sorry. We ourselves, are not interested in log records of unsupported protocols, so we never search for them. It's TLSv1.2 only and that's enough for us. The exclusion % analysis etc we do understand, but both this and appropriate protocols logs etc for all our e-commerce business models we deemed unecessary some time ago. In the brutal world of financial reality the end result is quite easily measured via the number of orders / turnover etc from all the e-commerce setups that are in place. They do all have feedback / contact us etc and FWIW to date, none have ever included the subject of "...inability to order due to old browser / os / or combination of..." Maybe in fairness, because those people cannot access all of those sites... but.... Your setup / purpose / business models are obviously different than ours, but we can only answer questions about our own setup here.

 

[daanse]

Hey,
@Mark12345 , you Domain on Qualys SSL Labs wont show a A+ ;-)
I would also be interested to get some good recommandations about strong / Secure Ciphers.
I'm aiming A+ aswell for Apache and NGINX...

 

[Mark12345]

....I'm aiming A+ aswell for Apache and NGINX...

To get an A+ and PCI compliance you need to remove TLSv1.1 protocol. Also, Paypal required us to do this.