• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue Disable TLSv1.0 To Comply with PCI

A

apaunovski

Basic Pleskian
So, I tried a number of different articles on disabling TLSv1.0, however Comodo's PCI scanner still detects it.

How do I get rid of it?

Currently, I get this response when I run /usr/local/psa/bin/server_pref -s | grep ssl-protocols

root@vel:~# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
Warning: Current locale is unusable. Using 'C' instead.
ssl-protocols: TLSv1.2

TLSv1.0 scanners and nmap still detect TLSv1.0 as available.

Please advise how do I get reliably rid of TLSv1.0!!!

This is very annoying.
 
Yes, I made it to this part:

# grep SSLCipher /etc/httpd/conf.d/ssl.conf
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

However, I can't find the file path specifed... /etc/httpd/conf.d/ssl.conf

Server is still incompliant!




 
The command

find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "ssl_protocols" {} \;

doesn't return anything

looking here shows me this:
root@vel:/home/aleksandar# vim /etc/apache2/mods-available/ssl.conf

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
SSLCipherSuite EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES

# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
#SSLHonorCipherOrder on

# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol +TLSv1.2

from which I conclude that Apache is OK running only secure ciphers and TLSv1.2

Where is the problem, then? NGINX?
 
Looking at /etc/nginx/conf.d/ssl.conf

shows this

sl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_dhparam /opt/psa/etc/dhparams2048.pem;

So it's OK... So why is the scan still failing and detecting TLSv1.0 as available?
 
Server: Apache + Nginx
OS Version: Ubuntu 18.04

Looking at the file you said gives this:

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
SSLCipherSuite EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES

# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
#SSLHonorCipherOrder on

# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol +TLSv1.2

So, only TLSv1.2 is available in Apache and Nginx as verified in earlier posts... What is still wrong...
 
Your server appears to be behind Cloudflare. So you should check your Cloudflare SSL/TLS settings.
 
Monty said:
I never used the Comodo PCI scanner.....
Click to expand...
Monty said:
Your server appears to be behind Cloudflare. So you should check your Cloudflare SSL/TLS settings.
Click to expand...
What @Monty has said already ^^
We're on the same OS as you and if it's of any use, to ensure TLSv1.2 only, we updated / modified all of these files:

/etc/apache2/mods-available/ssl.conf
/etc/dovecot/conf.d/11-plesk-security-ssl.conf
/etc/nginx/conf.d/ssl.conf
/etc/postfix/main.cf
/etc/proftpd.d/ssl.conf
/etc/sw-cp-server/conf.d/ssl.conf

There are easier ways to do this yes, but we wanted to be 100% sure ;) Like you, we did adopt TLSv1.3 (but at an early stage) but we binned that, because there were so many replacement drafts... Once TLSv1.3 is finally officially released, in theory :rolleyes: it should be possible to seemlessly upgrade from OpenSSL 1.1.0** to OpenSSL 1.1.1* but we'll wait and see if that happens.

As well as Qualys SSL, you could try HT Bridge where you can specify port numbers as well as the domain name / IP address
 
Last edited:
You must log in or register to reply here.

Similar threads

M
Issue Plesk update failing because of ftp in package lists?
Replies
6
Views
1K
mizar
mizar
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
1K
IgorG
IgorG
O
Resolved Enabling TLS 1.2 and 1.3 - Not working
Replies
10
Views
6K
learning_curve
learning_curve
Linulex
Issue Warning: Information on some packages might not be actual: inconsistencies were detected in the system's package manager database. Please resolve this
Replies
2
Views
965
Linulex
Linulex
Ehud
Question Is Plesk Email SRS fully configured, or it requires an extension?
Replies
0
Views
1K
Ehud
Ehud
Back
Top