• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Can't disable TLS v1.0

Hi,

My PCI compliance scanning software is failing due to the server supporting TLS v1.0 on port 443. The server is running Centos 6.6 Plesk 12.0.

I've updated the ssl.conf file with the line: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 but it doesn't seem to have made a difference. I phoned up the server provider and they weren't sure why that wasn't working and tried to point the finger at Plesk.

Would there be anything else I'd have to change in order to get TLSv1.0 disabled?

Thanks
Josh

Edit:

I have also just noticed in /etc/httpd/conf/plesk.conf.d/server.conf it also has the line SSLProtocol all -SSLv2 -SSLv3 which is missing the -TLSv1. It says not to edit that file as it could be overwritten, I did it anyway but that still didn't fix the issue of the protocol TLSv1.0 being enabled. I should say I'm pretty sure I've disabled TLSv1.0 before for PCI on this server, doing what I've described above but that alone doesn't seem to be enough any more...
 
Last edited:
Sorry, i should read the nicks first.
In need some infos: Do you want to set it up for plesk or a normal domain? In the last case: Do you adjust the php-files in opt/psa/admin/conf/templates/custom or just adjust the values in the automated generated config-file?
 
I assume that you don't use nginx as proxy, or do you? For apache you can try
Code:
SSLProtocol -all +TLSv1.1 +TLSv1.2
instead of your code.
 
Just done a little experience, created another server, same spec, Centos 6 with Plesk 12.0 with the same updates.

Created a dummy subscription, tested to see if TLSv1.0 was enabled for that website and it was. Did the exact same step as I mentioned in the first post, edited /etc/httpd/conf.d/ssl.conf, and it worked! TLSv1.0 is disabled.

Not really sure what to make of that... something must be overwritting the changes in that file on the main server. Moving the websites over to the new server isn't really an option unfortuantely.
 
It now seems to be disabled somehow, but having to change it in /etc/httpd/conf/plesk.conf.d/server.conf which means it'll get overwritten next time that file is generated.

Any ideas why it has to be placed in that file for it to work?

Thanks
Josh
 
http://download1.parallels.com/Plesk/Doc/es-ES/online/plesk-unix-cli/37785.htm

Managing SSL cyphers and protocols for all services with the help of the server_pref utility.

/usr/local/psa/bin/server_pref --help
/usr/local/psa/bin/server_pref --show

https://wiki.mozilla.org/Security/Server_Side_TLS
http://security.stackexchange.com/q...ecurity-compatibility-perfect-forward-secrecy
https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

Mozilla Intermediate:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Mozilla Modern:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Stackexchange:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK

Acunetix:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

I decided to use the "Stackexchange" offer, since it completely omits DSS. So at the server root command prompt, issue this command:

/usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK'

Sorry about the smilies, they are caused by colon D in the original text, I found no quick solution to turn that off. But copy paste turns out right.

For nginx this causes the file /etc/nginx/conf.d/ssl.conf to be created, can't say about Apache 'cos I use nginx exclusively.

Hope this helps!
 
Last edited:
Back
Top