• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Input Make your server more PCI compliant and update your TLS/Ciphersuites

Do you like these instructions?

  • Yes

    Votes: 1 100.0%

  • No

    Votes: 0 0.0%

  • Could be better

    Votes: 0 0.0%
  • Total voters
    1
Edward Dekker

Edward Dekker

Basic Pleskian
First, things first.

To understand the complications of a failure by the ciphersuites do i update the web-server by the following commands for Plesk Onyx. Assuming that we use a SSH terminal.
And we have to check up the web-server at all to show what kind of ciphersuite are used at the webserver and domain.
# nmap --script ssl-enum-ciphers -p 443 example.com​

Now, we have to check the system (Default settings are).
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;


For now we've checked the system, let's upgrade the TLS and Ciphersuites.
First we are making the system PCI compliant.
# sudo plesk sbin pci_compliance_resolver --enable
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;
And we are making the system more robust to allow TLSv1.2 only (for now there are no needs to upgrade to TLS1.3 also at the moment, i'ts all on you).
# sudo plesk bin server_pref -u -ssl-protocols 'TLSv1.2'
Than we harden the good ciphers (This results that not all older computers/devices can handle the ciphers).
By using the "sudo plesk bin server_pref -u -ssl-ciphers" command.
Code: 
sudo plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
This results into:
# cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
(It's good to know that a DHE pair are needed to give computers and devices a fallback to the lowest and safe encryption)
Reboot the Nginx and Apache and check your status.
# sudo service nginx restart
# sudo service nginx status -l
# sudo service httpd restart
# sudo service httpd status -l​

Check your settings.
# nmap --script ssl-enum-ciphers -p 443 example.com
And by:
You have to turn on the FTPS policy at your webserver.

After all you'll should have to make a reboot of the whole system to finish the job.
# sudo reboot

Thats all!


Note to all of us

When we look at the correct ciphersuite, there are some webgenerators where you'll can find the right parameters.
Go to a generator like Mozilla. Keep in mind that the strongest ciphers have to stay above.
And you could find documentation at OpenSSL.​
 
Last edited:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
 
Hi @daanse,

The OCSP stapling are not integrated into Plesk. You could make a manual insert for that.
I've foud a link for a discription at Plesk at: Is it possible to enable OCSP Stapling?

For a HIPAA protocol do i not knowing the answers about that.

daanse said:
Hi - Can you kindly edit your Ciphers with Code Section maybe? Because Forum konverted some strings to Smilies..

Any maybe did you found out how to activate OSCP Stapling or HIPAA?
Click to expand...
 
You must log in or register to reply here.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
671
Yaroslav_T
Yaroslav_T
D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
Back
Top