PCI Compliance - Plesk on Ubuntu 8.04 LTS

[LloydD]

While reseaching PCI Compliance on Ubuntu I couldn't find much info for Ubuntu so here's what has got me PCI Compliant -

Plesk 10.4.4 MU42 PCI Compliance on Ubuntu 8.04 LTS September 2012

Apache

Add to or create /etc/apache2/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf add

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!EDH:!3DES

And restart apache

/etc/init.d/apache2 restart


Postfix

Open /etc/postfix/main.cf in your favourite editor eg

vi /etc/postfix/main.cf

And add the following -

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
tls_high_cipherlist = RC4-SHA
smtpd_tls_mandatory_ciphers = HIGH

save the file and restart Postfix

/etc/init.d/postfix restart


Courier-Imap

Here you need to edit two files, /etc/courier-imap/pop3d-ssl and /etc/courier-imap/imapd-ssl in both files find the line TLS_CIPHER_LIST and add RC4-SHA like this –

TLS_CIPHER_LIST="RC4-SHA"

Save the file and restart courier-imap –

/etc/init.d/courier-imap restart


Qmail

Here you need to edit or create files /var/qmail/control/tlsserverciphers and /var/qmail/control/tlsclientciphers

And add

RC4-SHA

Save the files and restart qmail

/etc/init.d/qmail restart


Plesk 10.4.4

Here you need to create the file /opt/psa/admin/conf/cipher.lst and add

RC4-SHA

and restart the Plesk server -

/etc/init.d/sw-cp-server restart


Now you can check your ciphers at http://serversniff.net/content.php?do=ssl
I have used just RC4-SHA on everything except Apache as that honoured the cipher order and others didn’t want to.
I will look into this further at some point, but for the time being we are PCI Compliant and have mitigated against BEAST on all ports.
I hope this helps someone else.
Regards

Lloyd