• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Input Make your server more PCI compliant and update your TLS/Ciphersuites

Do you like these instructions?

  • Yes

    Votes: 1 100.0%

  • No

    Votes: 0 0.0%

  • Could be better

    Votes: 0 0.0%
  • Total voters
    1
Edward Dekker

Edward Dekker

Basic Pleskian
First, things first.

To understand the complications of a failure by the ciphersuites do i update the web-server by the following commands for Plesk Onyx. Assuming that we use a SSH terminal.
And we have to check up the web-server at all to show what kind of ciphersuite are used at the webserver and domain.
# nmap --script ssl-enum-ciphers -p 443 example.com​

Now, we have to check the system (Default settings are).
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;


For now we've checked the system, let's upgrade the TLS and Ciphersuites.
First we are making the system PCI compliant.
# sudo plesk sbin pci_compliance_resolver --enable
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;
And we are making the system more robust to allow TLSv1.2 only (for now there are no needs to upgrade to TLS1.3 also at the moment, i'ts all on you).
# sudo plesk bin server_pref -u -ssl-protocols 'TLSv1.2'
Than we harden the good ciphers (This results that not all older computers/devices can handle the ciphers).
By using the "sudo plesk bin server_pref -u -ssl-ciphers" command.
Code: 
sudo plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
(It's good to know that a DHE pair are needed to give computers and devices a fallback to the lowest and safe encryption)
Reboot the Nginx and Apache and check your status.
# sudo service nginx restart
# sudo service nginx status -l
# sudo service httpd restart
# sudo service httpd status -l​

Check your settings.
# nmap --script ssl-enum-ciphers -p 443 example.com
And by:
You have to turn on the FTPS policy at your webserver.

After all you'll should have to make a reboot of the whole system to finish the job.
# sudo reboot

Thats all!


Note to all of us

When we look at the correct ciphersuite, there are some webgenerators where you'll can find the right parameters.
Go to a generator like Mozilla. Keep in mind that the strongest ciphers have to stay above.
And you could find documentation at OpenSSL.​
 
Last edited:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
 
Hi @daanse,

The OCSP stapling are not integrated into Plesk. You could make a manual insert for that.
I've foud a link for a discription at Plesk at: Is it possible to enable OCSP Stapling?

For a HIPAA protocol do i not knowing the answers about that.

daanse said:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
Click to expand...
 
You must log in or register to reply here.

Similar threads

A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
594
Alban Staehli
A
Heinrich
Issue node.js configuration in PLESK Obsidian 18.0.67 Update Nr. 3
Replies
0
Views
179
Heinrich
Heinrich
Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
Back
Top