• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

How to disable TLS 1.0

J

Josh_Harrington-Lunt

New Pleskian
Hi,

A few months back I went through the struggle of making the web server PCI compliant. Last week I caught up with some micro updates I hadn't done since and now my PCI scans are failing again.

Only thing I'm getting is that TLS 1.0 is open. I've tried everything I can find in the Odin help files to disable it but it's just not happening. Can someone please help me disable TLS 1.0

Running Plesk 12.0.18 on Centos 6.6, just apache not ngix, I did try enabling ngix and it made it worse, allowing SSLV3 again and a load of other things which I fixed last time for apache.

I've ran the command which disabled weak protocols and ciphers /usr/local/psa/admin/bin/pci_compliance_resolver --enable all which had no effect. Removed TLSv1 from /etc/sw-cp-server/config

Followed a few other Odin documents but nothing seems to be working.

Thanks
Josh
 
Hi, which service/port is your TLS showing enabled on?

(I'm going to assume you mean for the Plesk CP itself - port 8443)

For me the /etc/sw-cp-server/config had TLSv1 in it as well - my test showed it enabled

Code: 
Supported versions:
 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no

I removed the TLSv1.0 from the file, restarted, and it was still there.

SO ... I played some more and found that if I edited the file /usr/local/psa/admin/conf/ssl-conf.sh and I added/modified the ssl.use-sslv3 and ssl.use-sslv2 = "disable" then it worked.

That part of the file should look like this:

Code: 
echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'
echo 'ssl.use-sslv3 = "disable"'
Then restart the plesk service:

Code: 
sudo service sw-cp-server restart

Now its disabled

Code: 
Supported versions:
 TLSv1.1 TLSv1.2
Deflate compression: no

Hope that helps
 
For Plesk 12.5 version use following command to manage SSL protocols:
Code: 
plesk bin server_pref -u -ssl-protocols
To manage SSL cipher suit:
Code: 
plesk bin server_pref -u -ssl-ciphers

I your case it should be smth like
Code: 
plesk bin server_pref -u -ssl-protocols TLSv1.2
to use only tlsv1.2 protocol and forbid using sslv3, tlsv1, tlsv1.1

Unfortunately, Plesk 12.0 have no such options. In this case you should manually change the set of ssl protocols in config files. But keep in mind that Plesk can reconfigure files on some operations like changing domain settings and so on...
 
Last edited:
Thank you both for the reply.

The ports that are showing up on the PCI scan are actually 4643 and 443.

Would the above close TLSv1 for those ports?

Thanks
Josh
 
Amin Taheri I tried your suggestion about editing the /usr/local/psa/admin/conf/ssl-conf.sh restarted and the scans are still showng TLSv1 as supported.

I also tried adding -TLSv1 to the protocols in /etc/httpd/conf.d/ssl.conf and it made no difference.
 
Last edited:
Igor, one thing I noticed is that the ssl protocols doesnt like TLS1.1 or 1.0 - it compains about it and errors out.
Error(s) in command line options: Unknown option 'TLSv1.1': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.1 TLSv1.0

Error(s) in command line options: Unknown option 'TLSv1.0': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.0
 
Josh_Harrington-Lunt said:
Bump, anyone know how to turn off TLSv1 for ports 443 and 4643 (virtuozzo)
Click to expand...

Hi,
are you the admin of the Node that runs Virtuozzo?
Do you require the VZPP at all?
If not, then just disable it on the node:
# vzctl set $CTID --offline_management no --save

If you are not the admin of the node you may ask your provider to disable it for you.
If your provider rejects to do so, you're stuck, as the VZPP Service is run on the node and can only be configured from/on the node.

Regards,
Kristian
 
KristianM said:
Hi,
are you the admin of the Node that runs Virtuozzo?
Do you require the VZPP at all?
If not, then just disable it on the node:
# vzctl set $CTID --offline_management no --save

If you are not the admin of the node you may ask your provider to disable it for you.
If your provider rejects to do so, you're stuck, as the VZPP Service is run on the node and can only be configured from/on the node.

Regards,
Kristian
Click to expand...

Thanks Kristian,

Correct I'm not the admin of the Node Virtuozzo runs on so there is nothing I can do as my hosting company will not change it. I've spoken to the PCI compliance people who suggested closing port 4643. Would you know how to go about that? At the moment I am letting Plesk manage the firewall rules, obviously Virtuozzo doesn't appear in that list.
 
Hi Josh_Harrington-Lunt,

please have a look at this post:

http://talk.plesk.com/threads/pci-d...running-plesk-pci-scripts.334678/#post-786773

You will find as well a link to a "PCI 3.1 Risk Plan" ( https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template/ ) from Trustware, which should point you to the possibility to request such a "risk plan" ( with arguments as suggested and/or additional ones, which meet your needs ) at each company, requesting a PCI compliance check periodically. The company you are working with will have as well such a form / PDF, or any other document, with which you can add reasonable "issues".
 
Amin Taheri said:
Igor, one thing I noticed is that the ssl protocols doesnt like TLS1.1 or 1.0 - it compains about it and errors out.
Error(s) in command line options: Unknown option 'TLSv1.1': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.1 TLSv1.0

Error(s) in command line options: Unknown option 'TLSv1.0': /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2 TLSv1.0
Click to expand...

Just FYI, the protocols need to be quoted:

# /usr/local/psa/bin/server_pref -u -ssl-protocols TLSv1.2,TLSv1.1
[2016-07-03 13:38:14] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/sslmng' '--protocols' 'TLSv1.2,TLSv1.1'] with exit code [1]
sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.2,TLSv1.1
ERROR:No supported protocols supplied


# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.1"
SUCCESS: Server preferences are successfully updated
Click to expand...
 
You must log in or register to reply here.

Similar threads

C
Question Disabling TLSv1? (Is that even the right question to ask!?) <n00b warning>
Replies
1
Views
1K
IgorG
IgorG
G
Input Advice On How To Fix A Possible cURL Problem Please?
Replies
7
Views
1K
Bitpalast
Bitpalast
S
Issue TLS1.2 Weak Cipher Suites SSL Labs
Replies
9
Views
5K
blueberry
blueberry
L
Question TLS 1.3 on Litespeed webservers / Obsidian
Replies
0
Views
1K
lenala
L
R
Question Missing Authorization Headers in FPM application served by Nginx
Replies
2
Views
5K
Kaspar
K
Back
Top