Facebook
Twitter
Seemingly at random, pages across different clients that have authentication enabled on a folder or file will not load - they simply go to an error page immediately rather than asking for username and password.
Restarting Apache will sometimes fix this, but then the problem will come back at some point in the future. For reasons I will explain, I believe that this reversion of the issue occurs when Apache reloads config, but only some of the time.
Upon examining the problem closer one of my clients discovered that when the page fails to load, changing the password hash to using crypto() rather than with the -m flag during htpasswd generation (for md5), the problem is resolved.
This issue did not occur before the transition to our new Plesk 9.5.2 server (it was running Plesk 9.3 before).
The only difference that I could ascertain that might be related to this is with the SSL Cipher limitations imposed for PCI compliance within the file:
/etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
Although the two directives within this file are supposed to override the defaults provided in /etc/httpd/conf.d/ssl.conf, I believe that for some unknown reason, when Apache reloads its configuration files, it is sometimes failing to include the directives in the Plesk weak ciphers file OR it is loading it but not allowing it to take precedence over the same directives found within the ssl.conf file.
My solution (that has held up for about 24 hours without issue) was to comment out the same lines in ssl.conf:
SSLProtocol and SSLCipherSuite
I'm hoping this will remain fixed by doing this and I hope that it helps solve the problem for anyone else experiencing it. Ultimately if I'm correct about the problem, then I believe this is something that will need to be repaired in Apache.
Restarting Apache will sometimes fix this, but then the problem will come back at some point in the future. For reasons I will explain, I believe that this reversion of the issue occurs when Apache reloads config, but only some of the time.
Upon examining the problem closer one of my clients discovered that when the page fails to load, changing the password hash to using crypto() rather than with the -m flag during htpasswd generation (for md5), the problem is resolved.
This issue did not occur before the transition to our new Plesk 9.5.2 server (it was running Plesk 9.3 before).
The only difference that I could ascertain that might be related to this is with the SSL Cipher limitations imposed for PCI compliance within the file:
/etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
Although the two directives within this file are supposed to override the defaults provided in /etc/httpd/conf.d/ssl.conf, I believe that for some unknown reason, when Apache reloads its configuration files, it is sometimes failing to include the directives in the Plesk weak ciphers file OR it is loading it but not allowing it to take precedence over the same directives found within the ssl.conf file.
My solution (that has held up for about 24 hours without issue) was to comment out the same lines in ssl.conf:
SSLProtocol and SSLCipherSuite
I'm hoping this will remain fixed by doing this and I hope that it helps solve the problem for anyone else experiencing it. Ultimately if I'm correct about the problem, then I believe this is something that will need to be repaired in Apache.
