How to disable TLS 1.0

[Josh_Harrington-Lunt]

Hi,

A few months back I went through the struggle of making the web server PCI compliant. Last week I caught up with some micro updates I hadn't done since and now my PCI scans are failing again.

Only thing I'm getting is that TLS 1.0 is open. I've tried everything I can find in the Odin help files to disable it but it's just not happening. Can someone please help me disable TLS 1.0

Running Plesk 12.0.18 on Centos 6.6, just apache not ngix, I did try enabling ngix and it made it worse, allowing SSLV3 again and a load of other things which I fixed last time for apache.

I've ran the command which disabled weak protocols and ciphers /usr/local/psa/admin/bin/pci_compliance_resolver --enable all which had no effect. Removed TLSv1 from /etc/sw-cp-server/config

Followed a few other Odin documents but nothing seems to be working.

Thanks
Josh

 

[Josh_Harrington-Lunt]

Bump...

 

[Amin Taheri]

Hi, which service/port is your TLS showing enabled on?

(I'm going to assume you mean for the Plesk CP itself - port 8443)

For me the /etc/sw-cp-server/config had TLSv1 in it as well - my test showed it enabled

Supported versions:
 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no

I removed the TLSv1.0 from the file, restarted, and it was still there.

SO ... I played some more and found that if I edited the file /usr/local/psa/admin/conf/ssl-conf.sh and I added/modified the ssl.use-sslv3 and ssl.use-sslv2 = "disable" then it worked.

That part of the file should look like this:

echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'
echo 'ssl.use-sslv3 = "disable"'

Then restart the plesk service:

sudo service sw-cp-server restart

Now its disabled

Supported versions:
 TLSv1.1 TLSv1.2
Deflate compression: no

Hope that helps

 

[igor.A.]

For Plesk 12.5 version use following command to manage SSL protocols:

plesk bin server_pref -u -ssl-protocols

To manage SSL cipher suit:

plesk bin server_pref -u -ssl-ciphers

I your case it should be smth like

plesk bin server_pref -u -ssl-protocols TLSv1.2

to use only tlsv1.2 protocol and forbid using sslv3, tlsv1, tlsv1.1

Unfortunately, Plesk 12.0 have no such options. In this case you should manually change the set of ssl protocols in config files. But keep in mind that Plesk can reconfigure files on some operations like changing domain settings and so on...

 

[Josh_Harrington-Lunt]

Thank you both for the reply.

The ports that are showing up on the PCI scan are actually 4643 and 443.

Would the above close TLSv1 for those ports?

Thanks
Josh

 

[Josh_Harrington-Lunt]

Amin Taheri I tried your suggestion about editing the /usr/local/psa/admin/conf/ssl-conf.sh restarted and the scans are still showng TLSv1 as supported.

I also tried adding -TLSv1 to the protocols in /etc/httpd/conf.d/ssl.conf and it made no difference.

 

[Josh_Harrington-Lunt]

Bump, anyone know how to turn off TLSv1 for ports 443 and 4643 (virtuozzo)

 

[IgorG]

Bump, anyone know how to turn off TLSv1 for ports 443 and 4643 (virtuozzo)

Ask it in corresponding forum section - http://talk.plesk.com/categories/virtuozzo.686/

 

[Amin Taheri]

Igor, one thing I noticed is that the ssl protocols doesnt like TLS1.1 or 1.0 - it compains about it and errors out.
Error(s) in command line options: Unknown option 'TLSv1.1': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.1 TLSv1.0

Error(s) in command line options: Unknown option 'TLSv1.0': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.0

 

[KristianM]

Bump, anyone know how to turn off TLSv1 for ports 443 and 4643 (virtuozzo)

Hi,
are you the admin of the Node that runs Virtuozzo?
Do you require the VZPP at all?
If not, then just disable it on the node:
# vzctl set $CTID --offline_management no --save

If you are not the admin of the node you may ask your provider to disable it for you.
If your provider rejects to do so, you're stuck, as the VZPP Service is run on the node and can only be configured from/on the node.

Regards,
Kristian

 

[Josh_Harrington-Lunt]

Hi,
are you the admin of the Node that runs Virtuozzo?
Do you require the VZPP at all?
If not, then just disable it on the node:
# vzctl set $CTID --offline_management no --save

If you are not the admin of the node you may ask your provider to disable it for you.
If your provider rejects to do so, you're stuck, as the VZPP Service is run on the node and can only be configured from/on the node.

Regards,
Kristian

Thanks Kristian,

Correct I'm not the admin of the Node Virtuozzo runs on so there is nothing I can do as my hosting company will not change it. I've spoken to the PCI compliance people who suggested closing port 4643. Would you know how to go about that? At the moment I am letting Plesk manage the firewall rules, obviously Virtuozzo doesn't appear in that list.

 

[UFHH01]

Hi Josh_Harrington-Lunt,

please have a look at this post:

http://talk.plesk.com/threads/pci-d...running-plesk-pci-scripts.334678/#post-786773

You will find as well a link to a "PCI 3.1 Risk Plan" ( https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template/ ) from Trustware, which should point you to the possibility to request such a "risk plan" ( with arguments as suggested and/or additional ones, which meet your needs ) at each company, requesting a PCI compliance check periodically. The company you are working with will have as well such a form / PDF, or any other document, with which you can add reasonable "issues".

 

[HostaHost]

Igor, one thing I noticed is that the ssl protocols doesnt like TLS1.1 or 1.0 - it compains about it and errors out.
Error(s) in command line options: Unknown option 'TLSv1.1': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.1 TLSv1.0

Error(s) in command line options: Unknown option 'TLSv1.0': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.0

Just FYI, the protocols need to be quoted:

# /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2,TLSv1.1
[2016-07-03 13:38:14] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/sslmng' '--protocols' 'TLSv1.2,TLSv1.1'] with exit code [1]
sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.2,TLSv1.1
ERROR:No supported protocols supplied


# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.1"
SUCCESS: Server preferences are successfully updated