1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Not PCI Compliant on 8443 - AGAIN!

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by LloydD, Aug 6, 2012.

  1. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    Considering Plesk 10 was sold as PCI Compliant you should be keeping this updated and not just expect people to upgrade to 11 because for me I can't atm due to running Ubuntu 8.04 LTS!

    So I am failing my PCI Compliance scans again on Port 8443.

    I have tried updating the

    /opt/psa/admin/conf/cipher.lst
    and
    /opt/psa/admin/conf/httpsd.custom.include

    Files with no affect at all, where do we update the Plesk ciphers in Plesk 10.4.4?
    Thanks in advance for any help
    Kind regards

    Lloyd
     
  2. OlegN

    OlegN Basic Pleskian Staff Member

    23
     
    Joined:
    Nov 18, 2009
    Messages:
    89
    Likes Received:
    1
    Hello LloydD,

    could you please provide me or IgorG details from PCI complains report?
     
  3. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    Yeah sorry it's failing on medium cipher suites..

    These are not in my cipher string, it also says the preferred cipher for this port is ..

    it should be using RC4. and the lowest should be 128bit, as I'm using the same cipher string I am using on Apache and that passes.

    My httpsd.custom.include

    And my cipher.list file contains the same string in the correct format for that file. Do I need both of these files?

    I have double checked this on serversniff.net which backs up the scan.
    We're runnig Plesk 10.4.4 Update:41
    Thanks in advance for any help
    Kind regards

    Lloyd
     
  4. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Even if you get around the cipher issues, you're going to fail anyway because the version of lighttpd that Parallels includes supports SSL renegotiation which causes yet another PCI failure. I can't even get an answer out of them on whether we can upgrade it to fix it:

    http://forum.parallels.com/showthread.php?t=261475
     
  5. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    Ah yeah, of course there is that too.
    I have subscribed to your thread, hopefully we will get some news on this soon.
    Thanks
     
  6. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Try this for your cipher.lst problem:

    echo "ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5" > /opt/psa/admin/conf/cipher.lst

    Assuming the cipher.lst file goes in that location for your platform. I've been using that one and at least don't get the cipher alerts anymore, just all the other ones they haven't fixed.
     
  7. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    Thanks, it seems the cipher.lst and /opt/psa/admin/conf/httpsd.custom.include file does nothing on my system, even after restarting sw-cp-server and psa.

    I'm not sure what else to try at this point, hopefully someone at Plesk will be able to solve this properly!
     
    Last edited: Sep 4, 2012
  8. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Is there a /usr/local/psa/admin/conf/cipher.lst on your system? That's where it is on mine, I had just modified the path based on your original post.
     
  9. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    Yeah I think /usr/local/psa/ is a symbolic link to /opt/psa/.
     
  10. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    well, I have just added RC4-SHA as the only cipher to the cipher.lst file and restarted sw-cp-server and it was done, glad I was sitting down for that lol

    So I would assume the /opt/psa/admin/conf/http.custom.include is redundant
     
    Last edited: Sep 4, 2012
  11. LloydD

    LloydD Basic Pleskian

    19
    60%
    Joined:
    Jul 18, 2010
    Messages:
    92
    Likes Received:
    0
    Location:
    Suffolk, UK
    Just to summarise, on a Ubuntu 8.04 LTS system you need to add the cipher.lst file to /opt/psa/admin/conf/
    rather than /usr/local/psa/admin/conf as directed in the Plesk PCI Compliance docs

    That should do the trick if your having trouble setting up the cipher.lst on a Ubuntu system.

    Some OS specific docs would be great, in the meantime I hope this info helps someone.
     
Loading...