• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

PCI DSS Compliance.

  • Thread starter Richard Georgiou
  • Start date
R

Richard Georgiou

Guest
Good morning Plesk Support,

I'm using the latest version of the Plesk Control Panel (9.2.3) and am having terrible problems trying to get my site/server PCI DSS Compliant. The failure message are below:

Security Vulnerabilities
Protocol Port Program Risk Summary
TCP 443 https 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:p/I:N/A:N) [More]
[Hide]
TCP 993 imaps 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:p/I:N/A:N) [More]
[Hide]
TCP 995 pop3s 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:p/I:N/A:N) [More]
[Hide]
TCP 443 https 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:p/A:N/I:N/B:N) [More]
[Hide]
TCP 993 imaps 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:p/A:N/I:N/B:N) [More]
[Hide]
TCP 995 pop3s 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:p/A:N/I:N/B:N) [More]

I'm really hoping you can help me here as I've searched through the internet but can't seem to find out how to fix these issues. I've checked Plesk for updates but I have them all.

I really look forward to hearing from anyone who has any suggestions.

My kindest regards
Richard
 
Port 8443 Low Ciphers Enabled Non-Compliance

Hi,

I'm using plesk 9.5.

Same problem but with the plesk port (8443) - low ciphers enabled. Full SecurityMetrics.com information:

Description: SSL server accepts weak ciphers Severity: Potential Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session. Background: Secure Sockets Layer (SSL) is an encryption protocol used to ensure confidentiality as information travels across the Internet. It is commonly used between web browsers and web servers to protect sensitive data such as passwords and credit card numbers. At the beginning of an SSL session, the client and server negotiate the encryption algorithm, known as a cipher. The chosen cipher is generally the strongest one which is supported by both the client and the server. Resolution For Apache mod_ssl web servers, use the [http://httpd.apache.org/docs/2.0/mod/mo d_ssl.html#sslciphersuite] SSLCipherSuite directive in the configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers, disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles [http://support.microsoft.com/kb/187498 ] 187498 and [http://support.microsoft.com/kb/245030 ] 245030. For other types of web servers, consult the web server documentation. Vulnerability Details: Service: 8443:TCP Supported ciphers: RC4-MD5:TLSv1/SSLv3:128-bit RC4-SHA:TLSv1/SSLv3:128-bit DES-CBC-SHA:TLSv1/SSLv3:56-bit DES-CBC3-SHA:TLSv1/SSLv3:168-bit AES128-SHA:TLSv1/SSLv3:128-bit AES256-SHA:TLSv1/SSLv3:256-bit

I verified that LOW returns ciphers by using this command on my server:
openssl s_client -connect localhost:8443 -cipher LOW

Cipher: DES-CBC-SHA

Where can I disallow LOW ciphers for plesk port 8443?
 
Last edited by a moderator:
I'm going to try some of the tips on here (EDIT: Confirmed this solved my issue...I didn't do the single sign-on step since we aren't using that):

http://www.linux-advocacy.org/web-servers/making-plesk-more-pci-compliant

They are:

Weak SSL Ciphers

As of Plesk 9.0 the control panel no longer uses Apache. It now uses Lighttpd. Disabling weak SSL ciphers is just as easy as disabling them for older Plesk versions. Add the following:

HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL

To /usr/local/psa/admin/conf/cipher.lst, then restart the control panel web server:

/etc/init.d/sw-cp-server restart

If single sign on is being utilized, the following should be added to /etc/sw-cp-server/applications.d/sso-cpserver.conf:

ssl.cipher-list = "HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL" ssl.use-sslv2 = "disable"

This needs to be placed directly below both ssl.engine = "enable" directives.
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
A
Help with the compliance with Trustwave
Replies
7
Views
8K
SteveL132
S
A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
3K
_Alberto_
A
J
SSL server accepts weak ciphers on port 12443
Replies
2
Views
3K
KirkM
KirkM
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
Back
Top