• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Input Make your server more PCI compliant and update your TLS/Ciphersuites

Do you like these instructions?

  • Yes

    Votes: 1 100.0%

  • No

    Votes: 0 0.0%

  • Could be better

    Votes: 0 0.0%
  • Total voters
    1
Edward Dekker

Edward Dekker

Basic Pleskian
First, things first.

To understand the complications of a failure by the ciphersuites do i update the web-server by the following commands for Plesk Onyx. Assuming that we use a SSH terminal.
And we have to check up the web-server at all to show what kind of ciphersuite are used at the webserver and domain.
# nmap --script ssl-enum-ciphers -p 443 example.com​

Now, we have to check the system (Default settings are).
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;


For now we've checked the system, let's upgrade the TLS and Ciphersuites.
First we are making the system PCI compliant.
# sudo plesk sbin pci_compliance_resolver --enable
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;
And we are making the system more robust to allow TLSv1.2 only (for now there are no needs to upgrade to TLS1.3 also at the moment, i'ts all on you).
# sudo plesk bin server_pref -u -ssl-protocols 'TLSv1.2'
Than we harden the good ciphers (This results that not all older computers/devices can handle the ciphers).
By using the "sudo plesk bin server_pref -u -ssl-ciphers" command.
Code: 
sudo plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
(It's good to know that a DHE pair are needed to give computers and devices a fallback to the lowest and safe encryption)
Reboot the Nginx and Apache and check your status.
# sudo service nginx restart
# sudo service nginx status -l
# sudo service httpd restart
# sudo service httpd status -l​

Check your settings.
# nmap --script ssl-enum-ciphers -p 443 example.com
And by:
You have to turn on the FTPS policy at your webserver.

After all you'll should have to make a reboot of the whole system to finish the job.
# sudo reboot

Thats all!


Note to all of us

When we look at the correct ciphersuite, there are some webgenerators where you'll can find the right parameters.
Go to a generator like Mozilla. Keep in mind that the strongest ciphers have to stay above.
And you could find documentation at OpenSSL.​
 
Last edited:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
 
Hi @daanse,

The OCSP stapling are not integrated into Plesk. You could make a manual insert for that.
I've foud a link for a discription at Plesk at: Is it possible to enable OCSP Stapling?

For a HIPAA protocol do i not knowing the answers about that.

daanse said:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
Click to expand...
 
You must log in or register to reply here.

Similar threads

D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
793
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
1K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
970
moswak
M
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
1K
Tessxr
T
Back
Top