• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Disabling SSL2.0 for PCI Compliance

G

GavinDixon

Guest
Is it possible on a Windows IIS6 Server to disable ssl2.0 and Plesk still function correctly?

We have had a security test ran on our website in order to make this PCI Compliant, and have had the following vulnerability raised by our Security Vendor - SecurityMetrics.


Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:p/A:N/I:N/B:N)
Click to expand...

Our web hosting company have issued this e-mail to us:

Hello,


Plesk uses SSLv2. We have tested this by disabling SSV2 in registry. Plesk uses SSLV2 this has been confirmed. We could not find a way to disable SSLV2 and have SSLV3 to be used by plesk instead. There are ways to make plesk use SSLV3 on plesk using apache webserver, but we could not find how that can be done on plesk which uses IIS.

Please do let us know, if you have any further queries.

Thank You
Adam
Technical Support Team
Dataflame
Click to expand...

They are saying that because we are on a windows hosting package and not a linux package then they cannot disable ssl2.0 ask plesk requires this to work?

Is this correct?
 
I see it is over a year since this was originally posted. But does anyone have a solution to this?

I am in the same position - for PCI compliance I need to disable SSL 2.0. Can Plesk handle SSL 2.0 being disabled? And can anyone provide some guidance on doing this?
Remember this is related to a WINDOWS server running IIS 6.

Many thanks.
 
Hi,
Many thanks for your reply. I have come across a few articles describing how to disable SSL 2.0, but thanks for your link. That site also has a useful post about disabling weak ciphers, which is also required for PCI complaince, so that's great to have!

The aim of my question though was really to check that Plesk will still work OK after I disable SSL 2.0?

Thanks
 
I suppose that Plesk will work fine. But you can check it and let us know how it goes on.
 
You must log in or register to reply here.

Similar threads

Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
3K
Mark12345
Mark12345
Edward Dekker
  • Poll
Input Make your server more PCI compliant and update your TLS/Ciphersuites
Replies
2
Views
2K
Edward Dekker
Edward Dekker
R
With PCI Compliance enabled, Horde Webmail stops working
Replies
1
Views
1K
B_P
B
Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
S
Resolved Changing Cipher Suite - Sweet32 PCI Compliance
Replies
3
Views
5K
nisamudeen97
nisamudeen97
Back
Top