Can't disable TLS v1.0

[Josh_Harrington-Lunt]

Hi,

My PCI compliance scanning software is failing due to the server supporting TLS v1.0 on port 443. The server is running Centos 6.6 Plesk 12.0.

I've updated the ssl.conf file with the line: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 but it doesn't seem to have made a difference. I phoned up the server provider and they weren't sure why that wasn't working and tried to point the finger at Plesk.

Would there be anything else I'd have to change in order to get TLSv1.0 disabled?

Thanks
Josh

Edit:

I have also just noticed in /etc/httpd/conf/plesk.conf.d/server.conf it also has the line SSLProtocol all -SSLv2 -SSLv3 which is missing the -TLSv1. It says not to edit that file as it could be overwritten, I did it anyway but that still didn't fix the issue of the protocol TLSv1.0 being enabled. I should say I'm pretty sure I've disabled TLSv1.0 before for PCI on this server, doing what I've described above but that alone doesn't seem to be enough any more...

 

[Liwindo]

Have a look here: https://talk.plesk.com/threads/how-to-disable-tls-1-0.335047/

 

[Josh_Harrington-Lunt]

Have a look here: https://talk.plesk.com/threads/how-to-disable-tls-1-0.335047/

That is a post from me a while back when I was having the same issue. I've repeated what fixed it last time from that post (updated ssl.conf) but that hasn't worked this time... I can only guess another file is overwriting it somewhere...

 

[Liwindo]

Sorry, i should read the nicks first.
In need some infos: Do you want to set it up for plesk or a normal domain? In the last case: Do you adjust the php-files in opt/psa/admin/conf/templates/custom or just adjust the values in the automated generated config-file?

 

[Josh_Harrington-Lunt]

This is for normal domains using an ssl certificate.

I've edited the file /etc/httpd/conf.d/ssl.conf with the line SSLProtocol all -SSLv2 -SSLv3 -TLSv1 and restarted apache but TLS 1.0 is still enabled.

I've also ran /usr/local/psa/admin/bin/pci_compliance_resolver --enable all as mentioned here http://download1.parallels.com/Plesk/Doc/en-US/online/plesk-pci-compliance-guide/ again with no success.

Thanks
Josh

 

[Liwindo]

I assume that you don't use nginx as proxy, or do you? For apache you can try

SSLProtocol -all +TLSv1.1 +TLSv1.2

instead of your code.

 

[Josh_Harrington-Lunt]

I assume that you don't use nginx as proxy, or do you? For apache you can try

SSLProtocol -all +TLSv1.1 +TLSv1.2

instead of your code.

No I don't use nginx, I did try last time I had this problem following this guide but ran into problems - http://kb.odin.com/en/120083

Thanks for your suggestion, just tried it, restarted apache and unfortunately TLS1.0 is still enabled...

 

[Josh_Harrington-Lunt]

Just done a little experience, created another server, same spec, Centos 6 with Plesk 12.0 with the same updates.

Created a dummy subscription, tested to see if TLSv1.0 was enabled for that website and it was. Did the exact same step as I mentioned in the first post, edited /etc/httpd/conf.d/ssl.conf, and it worked! TLSv1.0 is disabled.

Not really sure what to make of that... something must be overwritting the changes in that file on the main server. Moving the websites over to the new server isn't really an option unfortuantely.

 

[Liwindo]

You can try to uninstall apache and reinstall it, it often resolves problems.

 

[Josh_Harrington-Lunt]

This is a live server so trying to avoid downtime where ever possible, but I guess that is an option.

 

[Josh_Harrington-Lunt]

It now seems to be disabled somehow, but having to change it in /etc/httpd/conf/plesk.conf.d/server.conf which means it'll get overwritten next time that file is generated.

Any ideas why it has to be placed in that file for it to work?

Thanks
Josh

 

[Liwindo]

You might thinking about using nginx as proxy because it increases the speed measurable. Anyway, for your problem it should be the ssl.conf (/etc/apache2/mods-enabled/ssl.conf). For Webmail etc. use the template php-files: http://download1.parallels.com/Ples...nistration-guide/index.htm?fileName=68820.htm

 

[TimReeves]

http://download1.parallels.com/Plesk/Doc/es-ES/online/plesk-unix-cli/37785.htm

Managing SSL cyphers and protocols for all services with the help of the server_pref utility.

/usr/local/psa/bin/server_pref --help
/usr/local/psa/bin/server_pref --show

https://wiki.mozilla.org/Security/Server_Side_TLS
http://security.stackexchange.com/q...ecurity-compatibility-perfect-forward-secrecy
https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

Mozilla Intermediate:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIAES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Mozilla Modern:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Stackexchange:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK

Acunetix:
ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

I decided to use the "Stackexchange" offer, since it completely omits DSS. So at the server root command prompt, issue this command:

/usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK'

Sorry about the smilies, they are caused by colon D in the original text, I found no quick solution to turn that off. But copy paste turns out right.

For nginx this causes the file /etc/nginx/conf.d/ssl.conf to be created, can't say about Apache 'cos I use nginx exclusively.

Hope this helps!