1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Disable SSLv2 for admin panel on port 8443

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by Aaron44126, Apr 27, 2012.

  1. Aaron44126

    Aaron44126 Guest

    0
     
    I've been looking around everywhere and I haven't been able to figure this out.

    I am running Plesk 10.4.4 on Ubuntu Server 10.04.4 (64-bit).

    I need to disable SSLv2 for the admin panel running on port 8443.

    I've looked at the official documentation (page 5) which says to add some stuff to /opt/psa/admin/conf/cipher.lst and then restart sw-cp-server. Didn't work.

    I've looked at other solutions that involve maybe adding a line like this:
    ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
    to /etc/sw-cp-server/applications.d/plesk.conf, and then restart sw-cp-server. Didn't work.

    How do I know it didn't work? On another machine, I run this command:

    openssl s_client -connect (SERVERNAME):8443 -ssl2

    It returns "CONNECTED" with no error, but it should throw an error like "13752:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c:430" if SSLv2 is actually disabled.

    Any suggestions appreciated.
     
  2. EdwardDekker

    EdwardDekker Guest

    0
     
    Use the pci compliance resolver to update your ssl settings.
    Courier IMAP can be tricky, use "--enable courier" only when needed.
     
    Last edited by a moderator: Apr 27, 2012
  3. Aaron44126

    Aaron44126 Guest

    0
     
    I've got everything worked out except the control panel itself. I have run the pci_compliance_resolver tool; SSLv2 connections are still accepted on port 8443.

    Any other suggestions?
     
  4. fogelf

    fogelf Regular Pleskian

    23
    37%
    Joined:
    Feb 10, 2010
    Messages:
    103
    Likes Received:
    0
    make sure that
    1. file /usr/local/psa/admin/conf/ssl-conf.sh is included in SSL section at /etc/sw-cp-server/applications.d/plesk.socket.sh
    2. execute /usr/local/psa/admin/conf/ssl-conf.sh, output should contain string ssl.use-sslv2 = "disable"

    actually SSLv2 is disabled by default, pci_compliance_resolver only provides ciphers list
     
    Last edited: May 17, 2012
  5. fogelf

    fogelf Regular Pleskian

    23
    37%
    Joined:
    Feb 10, 2010
    Messages:
    103
    Likes Received:
    0
    Is it virtuozo? Is billing installed?
     
  6. Aaron44126

    Aaron44126 Guest

    0
     
    No virtuozo / billing.

    I see /opt/psa/admin/conf/ssl-conf.sh being included. It does have the line to disable SSLv2.

    I am still able to open an SSLv2 connection using the OpenSSL command-line client.
     
  7. fogelf

    fogelf Regular Pleskian

    23
    37%
    Joined:
    Feb 10, 2010
    Messages:
    103
    Likes Received:
    0
    It is too strange. Need additional info:
    1. openssl version
    2. output of "/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config -p"
     
    Last edited: May 21, 2012
  8. Aaron44126

    Aaron44126 Guest

    0
     
    On client...

    $ openssl version
    OpenSSL 1.0.1 14 Mar 2012


    On server...

    $ /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config -p
    (output attached)


    Thanks.
     

    Attached Files:

  9. fogelf

    fogelf Regular Pleskian

    23
    37%
    Joined:
    Feb 10, 2010
    Messages:
    103
    Likes Received:
    0
    In attached file there is no SSL definition for 8443 port, i.e. it process unsecured connections ...

    Correct SSL listener should look like (in minimal):
    $SERVER["socket"] == ":8443" {
    ...
    ssl.engine = "enable"
    ssl.pemfile = "/opt/psa/admin/conf/httpsd.pem"
    ...
    }
     
  10. Aaron44126

    Aaron44126 Guest

    0
     
    Hmm.

    I followed how that output is generated. In /etc/sw-cp-server/applications.d/plesk.socket.sh on line 88, I see:

    if [ $SSL = "yes" ] ; then
    cat <<EOF
    \$HTTP["useragent"] =~ ".*MSIE [456]\..*" {
    server.max-keep-alive-requests = 0
    }
    include_shell "/opt/psa/admin/conf/ssl-conf.sh"
    EOF
    fi

    (The file /opt/psa/admin/conf/ssl-conf.sh writes out the config that you said was missing.)

    This does not appear to be happening (the if statement failed) --- the blocks above and below are firing because I see their output in the result. Nonetheless, the server accepts HTTPS connections and not regular HTTP connections when connecting via port 8443, I just double-checked in my browser.

    Investigating why the "if" statement fails, I can't figure that out at a glance. I see in /etc/sw-cp-server/applications.d/plesk.conf, the lines:

    include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8443 ssl"
    include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8880"
    include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8443 ipv6 ssl"
    include_shell "/etc/sw-cp-server/applications.d/plesk.socket.sh 8880 ipv6"

    The "ssl" parameter is supposed to be caught at the top of plesk.socket.sh and set the variable "SSL" to "yes" ... line 22:

    if [ "$1" = "ssl" ] ; then
    SSL="yes"
    shift
    fi
     
  11. fogelf

    fogelf Regular Pleskian

    23
    37%
    Joined:
    Feb 10, 2010
    Messages:
    103
    Likes Received:
    0
    Your target is /opt/psa/admin/conf/ssl-conf.sh, examine it.
    Last should generate output like:
    ----------------------------------------

    root@wtf.com:/etc/sw-cp-server/applications.d# sh /opt/psa/admin/conf/ssl-conf.sh
    ssl.engine = "enable"
    ssl.use-sslv2 = "disable"
    ssl.cipher-list = "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC3-MD5:RC4-SHA:RC4-MD5"
    ssl.pemfile = "/opt/psa/admin/conf/httpsd.pem"
    ssl.plain-redirect = "https://wtf.com:8443/"
    root@wtf.com:/etc/sw-cp-server/applications.d#
     
Loading...