• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How to disable SNI in Plesk Panel 12?

yabado

Regular Pleskian
I have several clients still using WinXP.
How do I disable SNI for SSL certificates ( and just use old IP way )?
 
Or, is there a way to leave it on and still have a IP based SSL work on older WinXP browsers?
 
Yes, just assign different IPs per domain in good old way and assign different certificates. It shall work
 
Sergey,

I already have that setup, but the certificates do not work in WinXP browsers nonetheless. The domain's PTR is in place and everything. Is there a trick to getting this to work? I have been told that since the server suppports SNI, that is why the certificates are not being trusted from old browsers. What is the trick?
 
OK, instead of creating the certificate in the hosting settings for the subscription ( Secure your Sites ), should I set it up as a system wide certificate and bind it to an available IP address? Then make sure that site uses that IP address?
 
Hello Yabado,
In the installation of your SSLs, did you also install the Root CA?
We & many PP users have used SNI but not experienced the problems you are facing with Windows ..Perhaps its another problem other than SNI.
 
Hello Yabado,
Please give me a sample domain name with the SSL error I look at the error here ...
 
I have again tested it with WinXP + IE 8. But still I didn't get any notifications / warnings or errors.
What version of IE are you using?
 
Hi yabado,

first of all, please consider to fix your server vulnerability. According to my tests, your server is vulnerable to the POODLE attack. Please see the => KB - article 123 160 <= for suggestions and explanations. As well, consider reading the forum thread: SSL POODLE / SSLv3 bug ( Parallels Forum - Link )


To solve the SNI - issue for XP - users there are only two work - arounds:

Host each domain on a single IP or/and use certificates with the "SubjectAltName" field.​
 
Why are we having to do this? Shouldn't Plesk fix all these vulnerabilities with an update?
 
Hi yabado,

Plesk software HELPS to make server administration easier, but it doesn't replace a server administrator, yabado. As you might notice, the Poodle vulnerabilities are not based on Plesk software - they are based on SSL protocols, which are not part of Plesk.
 
I made the necessary changes to the main ssl apache conf file, but it does not seem to change things?
Do I need to dig down and edit the existing vhost conf files to remove the sslv3 ?
 
Hi yabado,

please review the mentioned KB - article again and please read as well the mentioned thread. If you go step-by-step and follow the mentioned suggestions ( as well in the thread! ), you won't have any issues. If you do have issues, please include errors from error - logs and/or depending configuration files, so that we might help with additional suggestions to solve your issues.


The possible issues because of missing configurations are countless, so we might only guess, what's missing or misconfigured... so it is really essential, to include error messages, to help you. Don't forget as well to restart the several services, when you changed configuration files of them and post the ouput of any command you use to check your configuration.

To check your apache/nginx configuration, you can as well use the suggestion from the KB - article:

You can verify whether SSLv3 is disabled using the following command:

openssl s_client -connect localhost:465 -ssl3
 
Back
Top