• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Failed SSL Report - Disable SSL v2 and v3???

Mark12345

Basic Pleskian
My website failed the SSL report provided by https://www.ssllabs.com/ssltest/index.html for the following reasons:

1) This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details
2) This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
3) This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

Can someone provide steps for me how best to handle this situation?

OS CentOS 6.6 (Final)
Plesk version 12.0.18 Update #98

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 INSECURE Yes
SSL 2 INSECURE Yes
 
In that link you sent it says "disabling the SSL 3.0 ........ will deflect a potential attack."

They then explain how to disable SSL 3.0 by adding "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" to the file /etc/sw-cp-server/config

I modified this file but I'm unable to upload it due to permissions. How do I change the permissions of my username to become an owner so that I can overwrite the file?
 
Hi Mark12345,

I modified this file but I'm unable to upload it due to permissions. How do I change the permissions of my username to become an owner so that I can overwrite the file?
you should consider to connect over SFTP, using your root account. ;)
( Consider to use WinSCP ( free software ), if you use Windows... you might be surprised about its features! ;) => WinSCP :: Official Site :: Download )
 
Last edited by a moderator:
Login in via my root account worked. thx.

I have a grade "A" now!

In summary:
0) get putty and login via root account
1) update the openssl CVE-2016-2107: OpenSSL Padding Oracle vulnerability

for those of you like me who are not super awesome at ssh, when you login via putty, you enter "yum update openssl" and press enter. This is the same thing as "# yum update openssl" because the "#" part is already there.

2) for linux, download http://kb.plesk.com/Attachments/kcs-40007/ssl_v3_disable.zip and put the file at the lowest level. Then, go to that directory and type "./ssl_v3_disable.sh"

You may need to restart the server.
 
Back
Top