1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

BEAST (Browser Exploit Against SSL/TLS) Vulnerability on port 8443

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by JustinCH, Jan 7, 2013.

  1. JustinCH

    JustinCH New Pleskian

    12
    85%
    Joined:
    Sep 9, 2011
    Messages:
    7
    Likes Received:
    0
    Hello,

    I'm running Plesk 10.3/ Centos 5.8 and one of the sites hosted on this server is being scanned for PCI compliance by Trustwave. I've followed all the PCI compliance stuff in the guide but it's still getting the threat below on port 8443.

    BEAST (Browser Exploit Against SSL/TLS) Vulnerability

    It was returning this on port 443 as well, but I was able to add the following the the site's vhost_ssl.conf file to fix it.

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLHonorCipherOrder On
    SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
    SSLInsecureRenegotiation off


    Is there someway to do the equivalent for Plesk Control Panel ie port 8443?
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    What about using modern version of Plesk instead of very old 10.3 version?
     
  3. JustinCH

    JustinCH New Pleskian

    12
    85%
    Joined:
    Sep 9, 2011
    Messages:
    7
    Likes Received:
    0
    Is there really no other answer and are you sure that an upgrade would actually fix the issue? I don't have a lot of faith in Plesk version upgrades.
     
  4. TSCADFX

    TSCADFX Basic Pleskian

    11
    60%
    Joined:
    Jun 16, 2012
    Messages:
    44
    Likes Received:
    0
    Location:
    Sacramento, CA
    Justin,

    I know it's been a month since you wrote this and I hope that by now you have this issue resolved. If for some reason you are still experiencing issues with PCI compliance, specifically the BEAST exploit I would recommend taking a look at this blog post that we have written with solutions to many PCI compliance issues involving Plesk.

    The blog can be found by clicking here.

    Best of luck!
     
    Last edited: Jan 18, 2015
  5. AlvinCharles

    AlvinCharles New Pleskian

    13
    35%
    Joined:
    Feb 25, 2012
    Messages:
    11
    Likes Received:
    0
    Same problem on Centos 5.8 Plesk 11

    I upgraded, used Plesk PCI compliance script/guide and no luck. I've found many posts by Centos 5/ Plesk 11 users with same problem. I really wish some one would help. Its the last issue we have to meet for compliance.
     
  6. TSCADFX

    TSCADFX Basic Pleskian

    11
    60%
    Joined:
    Jun 16, 2012
    Messages:
    44
    Likes Received:
    0
    Location:
    Sacramento, CA
    First of all did you read through the compliance guide that I posted above? If so did you complete the steps listed for the beast exploit?

    Could you explain what steps you have taken thus far?

    Thanks
     
  7. AlvinCharles

    AlvinCharles New Pleskian

    13
    35%
    Joined:
    Feb 25, 2012
    Messages:
    11
    Likes Received:
    0
    Yes we also followed steps on your page and created a vhost_ssl.conf in the conf folder of the domain.
    using vi added these lines:
    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLHonorCipherOrder On
    SSLCipherSuite ALL!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!LOW:!MEDIUM

    saved. ran
    /usr/local/psa/admin/bin/httpdmng --reconfigure-domain <ourdomain.com>

    restarted httpd.

    Failed at www.ssllabs.com test.

    Any insight is appreciated.
     
  8. TSCADFX

    TSCADFX Basic Pleskian

    11
    60%
    Joined:
    Jun 16, 2012
    Messages:
    44
    Likes Received:
    0
    Location:
    Sacramento, CA
    We've seen this issue on some servers and not on others. The servers that have this issue are configured slightly different. I'll throw something together over the next couple days with a fix for those machines as it varies slightly from the guide.
     
  9. AlvinCharles

    AlvinCharles New Pleskian

    13
    35%
    Joined:
    Feb 25, 2012
    Messages:
    11
    Likes Received:
    0
    Any help would be sincerely appreciated.
     
  10. TSCADFX

    TSCADFX Basic Pleskian

    11
    60%
    Joined:
    Jun 16, 2012
    Messages:
    44
    Likes Received:
    0
    Location:
    Sacramento, CA
    Ok so lets check a couple things and make a few changes. I prefer nano. Replace with vi if you prefer.

    First of all
    cd /etc/httpd/conf/
    nano httpd.conf

    In the first un-commented section place the following:

    Code:
    SSLHonorCipherOrder On
    SSLProtocol all -SSLv2
    SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA
    SSLInsecureRenegotiation off
    
    Make sure there are no other duplicates. Remove any if they exist.

    Save and exit

    cd /etc/httpd/conf.d/
    nano ssl.conf

    Comment out all lines that have any of the following directives:
    SSLHonorCipherOrder
    SSLProtocol
    SSLCipherSuite
    SSLInsecureRenegotiation

    Save and exit

    cd /var/www/vhosts/domain.com/conf/
    nano vhost.conf (may not exist)
    At the very top add:
    Code:
    SSLHonorCipherOrder On
    SSLProtocol all -SSLv2
    SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA
    SSLInsecureRenegotiation off
    
    Save and exit
    Repeat the above with vhost_ssl.conf

    /usr/local/psa/admin/bin/httpdmng --reconfigure-all
    service httpd restart

    Retest with SSL Labs.

    Report back and good luck!
     
  11. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Um... I don't think these suggestions are going to work.

    The issue at hand is related to port 8443 which is the port used by Plesk panel itself, which has its own webserver (lighttpd) with its own configuration.

    The changes being suggested will have no effect whatsoever on that port. They will only have effect on port 443 (https) for the Apache webserver used for hosted domains. Obviously this is important, but won't help with failures on 8443.

    This page explains what you need to do in Plesk 11, but the plesk panel webserver configuration files mentioned are basically similar in Plesk 10: http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/

    Specifically, the cipher list for the panel is at /usr/local/psa/admin/conf/cipher.lst
    You will need to restart the Plesk panel afterwards: /etc/init.d/sw-cp-server restart

    If all that's required to deal with the BEAST issue is to change the cipher list, then this should do the trick. But if you have failures on other elements then there's more to worry about.

    Note also that access to the Plesk panel is possible on port 8880 (no SSL) and there can be PCI failures here. Closing this in your firewall should resolve failures on this port if there are any, but before closing it please make sure you don't need it open for one reason or another, at least from some IPs (e.g. to use Web Presence Builder customers need access to it, I think????).

    But there's potentially more to do. Take note of the following two threads, which contain more information in PCI compliance and issues:

    http://forum.parallels.com/showthread.php?t=261475
    http://forum.parallels.com/showthread.php?t=261825

    Unfortunately I'm no PCI expert and I've not had to deal with any of the issues involved, so all I'm able to do is point people in what I think is the right direction. But it may be that I've missed some crucial thing, or misunderstood some vitally important point, so please don't assume anything I've said is actually correct or helpful.
     
  12. TSCADFX

    TSCADFX Basic Pleskian

    11
    60%
    Joined:
    Jun 16, 2012
    Messages:
    44
    Likes Received:
    0
    Location:
    Sacramento, CA
    If the post is about testing with SSL Labs then it is most definitely port 443 in question. The original OP may be referring to port 8443 however my reply is not in response to the OP. Please try the steps outlined in my post and report back.
     
  13. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Oh, I see! Very confusing!
     
  14. AlvinCharles

    AlvinCharles New Pleskian

    13
    35%
    Joined:
    Feb 25, 2012
    Messages:
    11
    Likes Received:
    0
    Plesk 11 BEAST issues. Some insight

    We've tried everything and I finally got ssllabs.com to pass us on BEAST by turning off NGINX.

    If anyone can tell us why this is or how we can pass with NGINX on, I'd be greatly appreciative.

    But TRUSTWAVE fails us on port 8443
    Client provided options SSLv3 : ALL:eNULL:aNULL
    Server Negotiated Block SSLv3 : ADH-AES256-SHA
    Client provided options TLSv1 : ALL:eNULL:aNULL
    Server Negotiated Block TLSv1 : ADH-AES256-SHA

    SHOULD WE DISPUTE THIS?
     
    Last edited: Mar 14, 2013
Loading...