Resolved Failed SSL Report - Disable SSL v2 and v3???

[Mark12345]

My website failed the SSL report provided by https://www.ssllabs.com/ssltest/index.html for the following reasons:

1) This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details
2) This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
3) This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

Can someone provide steps for me how best to handle this situation?

OS CentOS 6.6 (Final)
Plesk version 12.0.18 Update #98

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 INSECURE Yes
SSL 2 INSECURE Yes

 

[UFHH01]

Hi Mark12345,

pls. consider to inform yourself at:

=> CVE-2014-3566: POODLE Attack Exploiting SSL 3.0 Fallback ( KB - article 213410909 )​

... and find the attached patch - file and resolutions for several OS and several Plesk versions.

 

[Mark12345]

=> CVE-2014-3566: POODLE Attack Exploiting SSL 3.0 Fallback ( KB - article 213410909 )​

... and find the attached patch - file and resolutions for several OS and several Plesk versions.

Can I just disable SSL v2 and v3? Wouldn't this be easier/safer?

 

[UFHH01]

Hi Mark12345,

Wouldn't this be easier/safer?

No. This wouldn't be easier/safer and apart from that not faster...

 

[Mark12345]

In that link you sent it says "disabling the SSL 3.0 ........ will deflect a potential attack."

They then explain how to disable SSL 3.0 by adding "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" to the file /etc/sw-cp-server/config

I modified this file but I'm unable to upload it due to permissions. How do I change the permissions of my username to become an owner so that I can overwrite the file?

 

[UFHH01]

Hi Mark12345,

I modified this file but I'm unable to upload it due to permissions. How do I change the permissions of my username to become an owner so that I can overwrite the file?

you should consider to connect over SFTP, using your root account.
( Consider to use WinSCP ( free software ), if you use Windows... you might be surprised about its features! => WinSCP :: Official Site :: Download )

 

[Mark12345]

Login in via my root account worked. thx.

I have a grade "A" now!

In summary:
0) get putty and login via root account
1) update the openssl CVE-2016-2107: OpenSSL Padding Oracle vulnerability

for those of you like me who are not super awesome at ssh, when you login via putty, you enter "yum update openssl" and press enter. This is the same thing as "# yum update openssl" because the "#" part is already there.

2) for linux, download http://kb.plesk.com/Attachments/kcs-40007/ssl_v3_disable.zip and put the file at the lowest level. Then, go to that directory and type "./ssl_v3_disable.sh"

You may need to restart the server.