• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

BEAST (Browser Exploit Against SSL/TLS) Vulnerability on port 8443

JustinCH

New Pleskian
Hello,

I'm running Plesk 10.3/ Centos 5.8 and one of the sites hosted on this server is being scanned for PCI compliance by Trustwave. I've followed all the PCI compliance stuff in the guide but it's still getting the threat below on port 8443.

BEAST (Browser Exploit Against SSL/TLS) Vulnerability

It was returning this on port 443 as well, but I was able to add the following the the site's vhost_ssl.conf file to fix it.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SSLInsecureRenegotiation off


Is there someway to do the equivalent for Plesk Control Panel ie port 8443?
 
What about using modern version of Plesk instead of very old 10.3 version?
 
Is there really no other answer and are you sure that an upgrade would actually fix the issue? I don't have a lot of faith in Plesk version upgrades.
 
Justin,

I know it's been a month since you wrote this and I hope that by now you have this issue resolved. If for some reason you are still experiencing issues with PCI compliance, specifically the BEAST exploit I would recommend taking a look at this blog post that we have written with solutions to many PCI compliance issues involving Plesk.

The blog can be found by clicking here.

Best of luck!
 
Last edited:
Same problem on Centos 5.8 Plesk 11

I upgraded, used Plesk PCI compliance script/guide and no luck. I've found many posts by Centos 5/ Plesk 11 users with same problem. I really wish some one would help. Its the last issue we have to meet for compliance.
 
First of all did you read through the compliance guide that I posted above? If so did you complete the steps listed for the beast exploit?

Could you explain what steps you have taken thus far?

Thanks
 
Yes we also followed steps on your page and created a vhost_ssl.conf in the conf folder of the domain.
using vi added these lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ALL!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!LOW:!MEDIUM

saved. ran
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <ourdomain.com>

restarted httpd.

Failed at www.ssllabs.com test.

Any insight is appreciated.
 
We've seen this issue on some servers and not on others. The servers that have this issue are configured slightly different. I'll throw something together over the next couple days with a fix for those machines as it varies slightly from the guide.
 
Ok so lets check a couple things and make a few changes. I prefer nano. Replace with vi if you prefer.

First of all
cd /etc/httpd/conf/
nano httpd.conf

In the first un-commented section place the following:

Code:
SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA
SSLInsecureRenegotiation off

Make sure there are no other duplicates. Remove any if they exist.

Save and exit

cd /etc/httpd/conf.d/
nano ssl.conf

Comment out all lines that have any of the following directives:
SSLHonorCipherOrder
SSLProtocol
SSLCipherSuite
SSLInsecureRenegotiation

Save and exit

cd /var/www/vhosts/domain.com/conf/
nano vhost.conf (may not exist)
At the very top add:
Code:
SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA
SSLInsecureRenegotiation off

Save and exit
Repeat the above with vhost_ssl.conf

/usr/local/psa/admin/bin/httpdmng --reconfigure-all
service httpd restart

Retest with SSL Labs.

Report back and good luck!
 
Um... I don't think these suggestions are going to work.

The issue at hand is related to port 8443 which is the port used by Plesk panel itself, which has its own webserver (lighttpd) with its own configuration.

The changes being suggested will have no effect whatsoever on that port. They will only have effect on port 443 (https) for the Apache webserver used for hosted domains. Obviously this is important, but won't help with failures on 8443.

This page explains what you need to do in Plesk 11, but the plesk panel webserver configuration files mentioned are basically similar in Plesk 10: http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/

Specifically, the cipher list for the panel is at /usr/local/psa/admin/conf/cipher.lst
You will need to restart the Plesk panel afterwards: /etc/init.d/sw-cp-server restart

If all that's required to deal with the BEAST issue is to change the cipher list, then this should do the trick. But if you have failures on other elements then there's more to worry about.

Note also that access to the Plesk panel is possible on port 8880 (no SSL) and there can be PCI failures here. Closing this in your firewall should resolve failures on this port if there are any, but before closing it please make sure you don't need it open for one reason or another, at least from some IPs (e.g. to use Web Presence Builder customers need access to it, I think????).

But there's potentially more to do. Take note of the following two threads, which contain more information in PCI compliance and issues:

http://forum.parallels.com/showthread.php?t=261475
http://forum.parallels.com/showthread.php?t=261825

Unfortunately I'm no PCI expert and I've not had to deal with any of the issues involved, so all I'm able to do is point people in what I think is the right direction. But it may be that I've missed some crucial thing, or misunderstood some vitally important point, so please don't assume anything I've said is actually correct or helpful.
 
If the post is about testing with SSL Labs then it is most definitely port 443 in question. The original OP may be referring to port 8443 however my reply is not in response to the OP. Please try the steps outlined in my post and report back.
 
Plesk 11 BEAST issues. Some insight

Oh, I see! Very confusing!

We've tried everything and I finally got ssllabs.com to pass us on BEAST by turning off NGINX.

If anyone can tell us why this is or how we can pass with NGINX on, I'd be greatly appreciative.

But TRUSTWAVE fails us on port 8443
Client provided options SSLv3 : ALL:eNULL:aNULL
Server Negotiated Block SSLv3 : ADH-AES256-SHA
Client provided options TLSv1 : ALL:eNULL:aNULL
Server Negotiated Block TLSv1 : ADH-AES256-SHA

SHOULD WE DISPUTE THIS?
 
Last edited:
Back
Top