• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Input Make your server more PCI compliant and update your TLS/Ciphersuites

Do you like these instructions?

  • Yes

    Votes: 1 100.0%
  • No

    Votes: 0 0.0%
  • Could be better

    Votes: 0 0.0%

  • Total voters
    1

Edward Dekker

Basic Pleskian
First, things first.

To understand the complications of a failure by the ciphersuites do i update the web-server by the following commands for Plesk Onyx. Assuming that we use a SSH terminal.
And we have to check up the web-server at all to show what kind of ciphersuite are used at the webserver and domain.
# nmap --script ssl-enum-ciphers -p 443 example.com​

Now, we have to check the system (Default settings are).
# cat /etc/nginx/conf.d/ssl.conf
Code:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;


For now we've checked the system, let's upgrade the TLS and Ciphersuites.

First we are making the system PCI compliant.
# sudo plesk sbin pci_compliance_resolver --enable
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code:
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;
And we are making the system more robust to allow TLSv1.2 only (for now there are no needs to upgrade to TLS1.3 also at the moment, i'ts all on you).
# sudo plesk bin server_pref -u -ssl-protocols 'TLSv1.2'
Than we harden the good ciphers (This results that not all older computers/devices can handle the ciphers).
By using the "sudo plesk bin server_pref -u -ssl-ciphers" command.
Code:
sudo plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
(It's good to know that a DHE pair are needed to give computers and devices a fallback to the lowest and safe encryption)
Reboot the Nginx and Apache and check your status.
# sudo service nginx restart
# sudo service nginx status -l
# sudo service httpd restart
# sudo service httpd status -l​

Check your settings.
# nmap --script ssl-enum-ciphers -p 443 example.com
And by:
You have to turn on the FTPS policy at your webserver.

After all you'll should have to make a reboot of the whole system to finish the job.
# sudo reboot

Thats all!


Note to all of us

When we look at the correct ciphersuite, there are some webgenerators where you'll can find the right parameters.
Go to a generator like Mozilla. Keep in mind that the strongest ciphers have to stay above.
And you could find documentation at OpenSSL.​
 
Last edited:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
 
Hi @daanse,

The OCSP stapling are not integrated into Plesk. You could make a manual insert for that.
I've foud a link for a discription at Plesk at: Is it possible to enable OCSP Stapling?

For a HIPAA protocol do i not knowing the answers about that.

Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
 
Back
Top