How to disable SNI in Plesk Panel 12?

[yabado]

I have several clients still using WinXP.
How do I disable SNI for SSL certificates ( and just use old IP way )?

 

[yabado]

Or, is there a way to leave it on and still have a IP based SSL work on older WinXP browsers?

 

[Sergey L]

Yes, just assign different IPs per domain in good old way and assign different certificates. It shall work

 

[yabado]

Sergey,

I already have that setup, but the certificates do not work in WinXP browsers nonetheless. The domain's PTR is in place and everything. Is there a trick to getting this to work? I have been told that since the server suppports SNI, that is why the certificates are not being trusted from old browsers. What is the trick?

 

[yabado]

OK, instead of creating the certificate in the hosting settings for the subscription ( Secure your Sites ), should I set it up as a system wide certificate and bind it to an available IP address? Then make sure that site uses that IP address?

 

[abdi]

Hello Yabado,
In the installation of your SSLs, did you also install the Root CA?
We & many PP users have used SNI but not experienced the problems you are facing with Windows ..Perhaps its another problem other than SNI.

 

[yabado]

@abdi,

Yes, I have the complete CA Chain all the way down to ROOT.

 

[abdi]

Hello Yabado,
Please give me a sample domain name with the SSL error I look at the error here ...

 

[yabado]

panel.macdock.com
www.churchartworks.com

 

[abdi]

Yabado,
I have opened https://www.churchartworks.com/contact.html and I couldn't see any errors reported by the browser. I am using Windows XP with Mozilla.
How am I supposed to reproduce the stated errors/failures?

 

[yabado]

WinXP and any shitty version of IE ;-)

 

[abdi]

I have again tested it with WinXP + IE 8. But still I didn't get any notifications / warnings or errors.
What version of IE are you using?

 

[yabado]

I have tested 7 and 8, but will go back and see if it still happens.

 

[abdi]

Sure no problem! Nice weekend!

 

[UFHH01]

Hi yabado,

first of all, please consider to fix your server vulnerability. According to my tests, your server is vulnerable to the POODLE attack. Please see the => KB - article 123 160 <= for suggestions and explanations. As well, consider reading the forum thread: SSL POODLE / SSLv3 bug ( Parallels Forum - Link )


To solve the SNI - issue for XP - users there are only two work - arounds:

Host each domain on a single IP or/and use certificates with the "SubjectAltName" field.​

 

[yabado]

Why are we having to do this? Shouldn't Plesk fix all these vulnerabilities with an update?

 

[UFHH01]

Hi yabado,

Plesk software HELPS to make server administration easier, but it doesn't replace a server administrator, yabado. As you might notice, the Poodle vulnerabilities are not based on Plesk software - they are based on SSL protocols, which are not part of Plesk.

 

[yabado]

I made the necessary changes to the main ssl apache conf file, but it does not seem to change things?
Do I need to dig down and edit the existing vhost conf files to remove the sslv3 ?

 

[UFHH01]

Hi yabado,

please review the mentioned KB - article again and please read as well the mentioned thread. If you go step-by-step and follow the mentioned suggestions ( as well in the thread! ), you won't have any issues. If you do have issues, please include errors from error - logs and/or depending configuration files, so that we might help with additional suggestions to solve your issues.

Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )​

The possible issues because of missing configurations are countless, so we might only guess, what's missing or misconfigured... so it is really essential, to include error messages, to help you. Don't forget as well to restart the several services, when you changed configuration files of them and post the ouput of any command you use to check your configuration.

To check your apache/nginx configuration, you can as well use the suggestion from the KB - article:

You can verify whether SSLv3 is disabled using the following command:

openssl s_client -connect localhost:465 -ssl3