• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Not PCI Compliant on 8443 - AGAIN!

L

LloydD

Basic Pleskian
Considering Plesk 10 was sold as PCI Compliant you should be keeping this updated and not just expect people to upgrade to 11 because for me I can't atm due to running Ubuntu 8.04 LTS!

So I am failing my PCI Compliance scans again on Port 8443.

I have tried updating the

/opt/psa/admin/conf/cipher.lst
and
/opt/psa/admin/conf/httpsd.custom.include

Files with no affect at all, where do we update the Plesk ciphers in Plesk 10.4.4?
Thanks in advance for any help
Kind regards

Lloyd
 
Hello LloydD,

could you please provide me or IgorG details from PCI complains report?
 
Yeah sorry it's failing on medium cipher suites..

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
Click to expand...

These are not in my cipher string, it also says the preferred cipher for this port is ..

Preferred cipher:
TLSv1/SSLv3, Cipher is AES256-SHA AES(256)
Click to expand...

it should be using RC4. and the lowest should be 128bit, as I'm using the same cipher string I am using on Apache and that passes.

My httpsd.custom.include

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Click to expand...

And my cipher.list file contains the same string in the correct format for that file. Do I need both of these files?

I have double checked this on serversniff.net which backs up the scan.
We're runnig Plesk 10.4.4 Update:41
Thanks in advance for any help
Kind regards

Lloyd
 
Hostasaurus.Com said:
Even if you get around the cipher issues, you're going to fail anyway because the version of lighttpd that Parallels includes supports SSL renegotiation which causes yet another PCI failure. I can't even get an answer out of them on whether we can upgrade it to fix it:

http://forum.parallels.com/showthread.php?t=261475
Click to expand...

Ah yeah, of course there is that too.
I have subscribed to your thread, hopefully we will get some news on this soon.
Thanks
 
Try this for your cipher.lst problem:

echo "ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5" > /opt/psa/admin/conf/cipher.lst

Assuming the cipher.lst file goes in that location for your platform. I've been using that one and at least don't get the cipher alerts anymore, just all the other ones they haven't fixed.
 
Hostasaurus.Com said:
Try this for your cipher.lst problem:

echo "ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5" > /opt/psa/admin/conf/cipher.lst

Assuming the cipher.lst file goes in that location for your platform. I've been using that one and at least don't get the cipher alerts anymore, just all the other ones they haven't fixed.
Click to expand...

Thanks, it seems the cipher.lst and /opt/psa/admin/conf/httpsd.custom.include file does nothing on my system, even after restarting sw-cp-server and psa.

I'm not sure what else to try at this point, hopefully someone at Plesk will be able to solve this properly!
 
Last edited:
Is there a /usr/local/psa/admin/conf/cipher.lst on your system? That's where it is on mine, I had just modified the path based on your original post.
 
well, I have just added RC4-SHA as the only cipher to the cipher.lst file and restarted sw-cp-server and it was done, glad I was sitting down for that lol

So I would assume the /opt/psa/admin/conf/http.custom.include is redundant
 
Last edited:
Just to summarise, on a Ubuntu 8.04 LTS system you need to add the cipher.lst file to /opt/psa/admin/conf/
rather than /usr/local/psa/admin/conf as directed in the Plesk PCI Compliance docs

That should do the trick if your having trouble setting up the cipher.lst on a Ubuntu system.

Some OS specific docs would be great, in the meantime I hope this info helps someone.
 
You must log in or register to reply here.

Similar threads

O
Question Plesk Admin Panel - Internal IP address Revealed on port 8443 (PCI Compliance Issue)
Replies
0
Views
1K
OWEUX LLC
O
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
3K
Mark12345
Mark12345
Edward Dekker
  • Poll
Input Make your server more PCI compliant and update your TLS/Ciphersuites
Replies
2
Views
2K
Edward Dekker
Edward Dekker
J
How to disable TLS 1.0
Replies
12
Views
15K
HostaHost
H
Lloyd_mcse
Plesk 11.5.30 default cipher list location?
Replies
4
Views
1K
Lloyd_mcse
Lloyd_mcse
Back
Top