Disable SSLv2 for admin panel on port 8443

[Aaron44126]

I've been looking around everywhere and I haven't been able to figure this out.

I am running Plesk 10.4.4 on Ubuntu Server 10.04.4 (64-bit).

I need to disable SSLv2 for the admin panel running on port 8443.

I've looked at the official documentation (page 5) which says to add some stuff to /opt/psa/admin/conf/cipher.lst and then restart sw-cp-server. Didn't work.

I've looked at other solutions that involve maybe adding a line like this:
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
to /etc/sw-cp-server/applications.d/plesk.conf, and then restart sw-cp-server. Didn't work.

How do I know it didn't work? On another machine, I run this command:

openssl s_client -connect (SERVERNAME):8443 -ssl2

It returns "CONNECTED" with no error, but it should throw an error like "13752:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c:430" if SSLv2 is actually disabled.

Any suggestions appreciated.

 

[EdwardDekker]

Use the pci compliance resolver to update your ssl settings.

/usr/local/psa/admin/bin/pci_compliance_resolver

Courier IMAP can be tricky, use "--enable courier" only when needed.

 

[Aaron44126]

I've got everything worked out except the control panel itself. I have run the pci_compliance_resolver tool; SSLv2 connections are still accepted on port 8443.

Any other suggestions?

 

[fogelf]

make sure that
1. file /usr/local/psa/admin/conf/ssl-conf.sh is included in SSL section at /etc/sw-cp-server/applications.d/plesk.socket.sh
2. execute /usr/local/psa/admin/conf/ssl-conf.sh, output should contain string ssl.use-sslv2 = "disable"

actually SSLv2 is disabled by default, pci_compliance_resolver only provides ciphers list

 

[fogelf]

Is it virtuozo? Is billing installed?

 

[Aaron44126]

No virtuozo / billing.

I see /opt/psa/admin/conf/ssl-conf.sh being included. It does have the line to disable SSLv2.

I am still able to open an SSLv2 connection using the OpenSSL command-line client.

 

[fogelf]

It is too strange. Need additional info:
1. openssl version
2. output of "/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config -p"

 

[Aaron44126]

On client...

$ openssl version
OpenSSL 1.0.1 14 Mar 2012


On server...

$ /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config -p
(output attached)


Thanks.

 

[fogelf]

In attached file there is no SSL definition for 8443 port, i.e. it process unsecured connections ...

Correct SSL listener should look like (in minimal):
$SERVER["socket"] == ":8443" {
...
ssl.engine = "enable"
ssl.pemfile = "/opt/psa/admin/conf/httpsd.pem"
...
}

 

[Aaron44126]

Hmm.

I followed how that output is generated. In /etc/sw-cp-server/applications.d/plesk.socket.sh on line 88, I see:

if [ $SSL = "yes" ] ; then
cat <<EOF
\$HTTP["useragent"] =~ ".*MSIE [456]\..*" {
server.max-keep-alive-requests = 0
}
include_shell "/opt/psa/admin/conf/ssl-conf.sh"
EOF
fi

(The file /opt/psa/admin/conf/ssl-conf.sh writes out the config that you said was missing.)

This does not appear to be happening (the if statement failed) --- the blocks above and below are firing because I see their output in the result. Nonetheless, the server accepts HTTPS connections and not regular HTTP connections when connecting via port 8443, I just double-checked in my browser.

Investigating why the "if" statement fails, I can't figure that out at a glance. I see in /etc/sw-cp-server/applications.d/plesk.conf, the lines:

include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8443 ssl"
include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8880"
include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8443 ipv6 ssl"
include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8880 ipv6"

The "ssl" parameter is supposed to be caught at the top of plesk.socket.sh and set the variable "SSL" to "yes" ... line 22:

if [ "$1" = "ssl" ] ; then
SSL="yes"
shift
fi

 

[fogelf]

Your target is /opt/psa/admin/conf/ssl-conf.sh, examine it.
Last should generate output like:
----------------------------------------

[email protected]:/etc/sw-cp-server/applications.d# sh /opt/psa/admin/conf/ssl-conf.sh
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-AES256-SHAHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:AES128-SHAES-CBC3-SHAES-CBC3-MD5:RC4-SHA:RC4-MD5"
ssl.pemfile = "/opt/psa/admin/conf/httpsd.pem"
ssl.plain-redirect = "https://wtf.com:8443/"
[email protected]:/etc/sw-cp-server/applications.d#