1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Enabled all pci compliance options, still failing CVE-2011-3389: SSL/TLS Protocol x 3

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by andyb-uk, Jun 25, 2012.

  1. andyb-uk

    andyb-uk New Pleskian

    20
     
    Joined:
    Aug 17, 2009
    Messages:
    15
    Likes Received:
    0
    Hi.

    I have latest Plesk 9.5.x updates

    I have enabled the pci-compliance options

    /usr/local/psa/admin/bin/pci_compliance_resolver --enable all

    and followed the Plesk guide

    Securing Servers in Compliance with PCI Data Security Standard - http://download1.parallels.com/Plesk...mpliance-guide

    It passes everything now except 3 failures - they are all related to SSL/TLS...

    SSL/TLS Protocol Initialization Vector
    Implementation Information Disclosure
    Vulnerability imap (143/tcp)
    CVE-2011-3389

    SSL/TLS Protocol Initialization Vector
    Implementation Information Disclosure
    Vulnerability pop3 (110/tcp)
    CVE-2011-3389

    SSL/TLS Protocol Initialization Vector
    Implementation Information Disclosure
    Vulnerability https (443/tcp)
    CVE-2011-3389

    It seems related to SSL, I have disabled weak ciphers as outlined in the guide.

    How can I get this to pass ?

    Any help is welcomed
     
  2. [QT]Bender

    [QT]Bender Guest

    0
     
    I agree, the same issue here with new PCI compliance scan. We need solution.
     
  3. andyb-uk

    andyb-uk New Pleskian

    20
     
    Joined:
    Aug 17, 2009
    Messages:
    15
    Likes Received:
    0
    Has anyone got any ideas how to get it to pass?

    Is Plesk 9.5.4 just simply not able to pass now?
     
  4. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Edit /etc/courier-imap/*-ssl and look for the TLS_CIPHER_LIST line; replace it with this:

    Code:
    TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:-SSLv2:+HIGH:+MEDIUM:-LOW:-EXP:@STRENGTH"
    
    Then restart courier.
     
  5. andyb-uk

    andyb-uk New Pleskian

    20
     
    Joined:
    Aug 17, 2009
    Messages:
    15
    Likes Received:
    0
    ok - that didn't work.

    I assume it is because I had used the Plesk tool to PCI comply the server

    i.e

    /usr/local/psa/admin/bin/pci_compliance_resolver --enable courier

    - this creates

    /etc/courier-imap/imapd-ssl.pci
    /etc/courier-imap/pop3d-ssl.pci

    Which contains

    Is this conflicting ?
     
    Last edited: Jul 5, 2012
  6. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Try replacing that one with the string I sent and restart courier. It took me a while to find the right combination of arguments that make the pci scanning companies happy.
     
Loading...