• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Failed SSL Report - Disable SSL v2 and v3???

Mark12345

Mark12345

Basic Pleskian
My website failed the SSL report provided by https://www.ssllabs.com/ssltest/index.html for the following reasons:

1) This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details
2) This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
3) This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

Can someone provide steps for me how best to handle this situation?

OS CentOS 6.6 (Final)
Plesk version 12.0.18 Update #98

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 INSECURE Yes
SSL 2 INSECURE Yes
 
In that link you sent it says "disabling the SSL 3.0 ........ will deflect a potential attack."

They then explain how to disable SSL 3.0 by adding "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" to the file /etc/sw-cp-server/config

I modified this file but I'm unable to upload it due to permissions. How do I change the permissions of my username to become an owner so that I can overwrite the file?
 
Hi Mark12345,

Mark12345 said:
I modified this file but I'm unable to upload it due to permissions. How do I change the permissions of my username to become an owner so that I can overwrite the file?
Click to expand...
you should consider to connect over SFTP, using your root account. ;)
( Consider to use WinSCP ( free software ), if you use Windows... you might be surprised about its features! ;) => WinSCP :: Official Site :: Download )
 
Last edited by a moderator:
Login in via my root account worked. thx.

I have a grade "A" now!

In summary:
0) get putty and login via root account
1) update the openssl CVE-2016-2107: OpenSSL Padding Oracle vulnerability

for those of you like me who are not super awesome at ssh, when you login via putty, you enter "yum update openssl" and press enter. This is the same thing as "# yum update openssl" because the "#" part is already there.

2) for linux, download http://kb.plesk.com/Attachments/kcs-40007/ssl_v3_disable.zip and put the file at the lowest level. Then, go to that directory and type "./ssl_v3_disable.sh"

You may need to restart the server.
 
You must log in or register to reply here.

Similar threads

P
Forwarded to devs SSL It! TLS versions and ciphers by Mozilla v5 'intermediate' should support IE11 on Win7 or 8 - causes 'handshake_failure'
Replies
7
Views
3K
pleskuser67553
P
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
4K
Mark12345
Mark12345
Azurel
Resolved Why SSLv2 and SSLv3?
Replies
1
Views
1K
UFHH01
U
Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
custer
Exploit in SSLv2 - update OpenSSL
Replies
14
Views
19K
Michael Howarth
M
Back
Top