• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Changing Cipher Suite - Sweet32 PCI Compliance

sja

New Pleskian
Hi there,

I'm new to this and am trying to ensure our server is PCI compliant.

One element we're not passing is on port 8443 "Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32".

So, I'd like to change the cipher suite we use.

I found this page: Command Line Reference, Plesk 12.5 for Linux

On it is this command:
Code:
plesk bin server_pref -u -ssl-ciphers 'HIGH:!aNULL:!MD5'

But I'm unclear on what ciphers that actually sets. I'd like to set
Code:
plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'

But I'd like to know what the current set is incase I have any issues.

Can anyone help point me to which file these commands are actually editing?

Many thanks
 
Can anyone help point me to which file these commands are actually editing?
/etc/nginx/conf.d/ssl.conf

https://kb.plesk.com/en/128733

  • How can I set up my own TLS ciphers list for NGINX?
Answer: You should use sslmng utility from Plesk to set up available protocols and TLS ciphers list after you enabled HTTP/2. For example if you want to use exactly the same ciphers list as Plesk does, the command will be the following:

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

Configuration will be stored in /etc/nginx/conf.d/ssl.conf file. We do not recommend to edit this file manually.
 
How can we do the same for port 21, 25, 993 and 995 ?

Port
Protocol Service
993
TCP
imap
T itle
SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
Synopsis:
The remote service supports the use of 64-bit block ciphers.
 
I have managed to pass PCI compliance using the below conf for different ports other than port 443

Dovecot

/etc/dovecot/conf.d/11-plesk-security-ssl.conf


ssl_cipher_list = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
ssl_protocols = TLSv1.1 TLSv1.2
ssl_dh_parameters_length = 2048


/etc/postfix/main.cf

smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES

FTP service

/etc/proftpd.d/ssl.conf

<IfModule mod_tls.c>
TLSCipherSuite EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
TLSProtocol TLSv1.1 TLSv1.2
</IfModule>

IMAPS and POPS

/etc/dovecot/conf.d/11-plesk-security-ssl.conf

ssl_cipher_list = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!3DES
ssl_protocols = TLSv1.1 TLSv1.2
ssl_dh_parameters_length = 2048
 
Back
Top