• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk 12.5 PCI-DSS Trustwave TSL v1.0 Issue

J.Wick

J.Wick

Regular Pleskian
First off, I have to say that after setting up a new server and migrating all our customer accounts over, that Plesk 12.5 is pretty awesome! Love the changes made to backup, that will make life a lot easier, along with the extra control over which modules are installed.

I did the migration route because of all the nightmares of the upgrade path. Migration was picky, but after all the settings were 100% accounts came over perfectly.

Also, the overall security out of the box is tight and mostly PCI Compliant, which was a nice surprise. The UI is also much faster and logical. Customers will really benefit from this!

HOWEVER, we are still failing our scan due to TLS v1.0 still being available. It would be really nice to have a button in the settings area for one click PCI-Compliance settings, or just make always compliant with every update.

So if I want to allow only TLS v1.1 and 1.2 what do I need to do on Centos 7.1?

This setting will be mandatory next May 2016, so it would be nice if something was done now, rather than later for your e-commerce host providers.
 
Sergey L said:
Would this article help?
KB Odin: [HOWTO] Disable weak SSL ciphers for PCI Complaince
Click to expand...

This apparently doesn't look like it applies to Plesk 12.5 as the nginx file doesn't contain any information for ssl_protocols or ssl_ciphers support.

Any other suggestions?

While looking around in custom/server/ I found PCI_compliance.php file with the following.

Code: 
<?php if (!$VAR->server->webserver->apache->traceEnableCompliance): ?>
        TraceEnable off
<?php endif; ?>

ServerTokens ProductOnly

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
~
 
Hi SpyderZ,

is there a reason, why you opened a new thread, even that you already discussed the issue ( and possible solutions and work - arounds ) at:


The main clou is ( and always will be ), to use different specific ciphers lists, as you will notice, when using the search term "intermediate" here in forum. You will find as well links to mozilla.org, who provide several examples as "modern", "intermediate" and "old backward" compatible ciphers suites.
 
UFHH01 said:
Hi SpyderZ,

is there a reason, why you opened a new thread, even that you already discussed the issue ( and possible solutions and work - arounds ) at:


The main clou is ( and always will be ), to use different specific ciphers lists, as you will notice, when using the search term "intermediate" here in forum. You will find as well links to mozilla.org, who provide several examples as "modern", "intermediate" and "old backward" compatible ciphers suites.
Click to expand...

Yes, I've upgraded to Plesk 12.5 and I notice that there are some minor differences.

It would be really nice if Odin would use Trustwave in their research and development process in regards to the PCI-DSS compliance feature of Plesk. I'm paying a significant fee every month for Plesk so I don't have to waste time messing around with configuration files, researching and learning about cryptography, (which is very interesting but I don't have time for!), to make my server compliant, which the PCI script is suppose to do for me.

As it stands without any manual intervention after running the PCI_Compliance script here is what my latest TrustWave report is complaining about and knocking me out of compliance.

pci.png


It would be nice to have a PCI Compliance screen in the settings of Plesk. I would like a single button push that would apply all the proper security and ciphers to pass Trustwave. If you wanted to expand on this, you could give options for custom security settings for each technology, without having to go hunt and update configuration files.

I've spent over 10+ hours researching on how to disable TLS v1.0 force TLS v1.1 or v1.2, trying different configurations and it's just not working. I'm not an idiot either, I've been administering servers and Plesk since 2004. It seems like there is a lot of confusion around this topic all over the place online. Heck, even when I consult with Trustwave on what settings should be, they can't even tell me.

Someone just needs to put a simple step-by-step guide on this that works.
 
SpyderZ said:
It would be really nice if Odin would use Trustwave in their research and development process in regards to the PCI-DSS compliance feature of Plesk
Click to expand...
SpyderZ said:
As it stands without any manual intervention after running the PCI_Compliance script here is what my latest TrustWave report is complaining about and knocking me out of compliance.
Click to expand...

=> https://www.ssllabs.com/ssltest/analyze.html?d=trustwave.com

Result:
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Click to expand...

At the moment, they don't pass their own test. Could you explain, why Odin should give examples, solutions, work-arounds to different PCI - compliance - tests ( used by different companies ) , while they don't even pass their own compliance test and ....
SpyderZ said:
Heck, even when I consult with Trustwave on what settings should be, they can't even tell me.
Click to expand...
... as you stated, they don't even respond with decent informations to THEIR desired configuration and WHY they want you to change your current configuration BEFORE 30.06.2016 ( when TLS 1.0 should not be continued to being trusted ).


SpyderZ said:
I'm not an idiot either
Click to expand...
No one calls you an idiot, but please be aware, that the STANDART is still to use TLS 1.0 and if you would like to secure your server a bit more, than actually suggested by Odin ( who always tries to meet the standarts! ), you should consider to use your very own solutions, which might include, that you have to do some researches or/and inform yourself about ciphers and their usage.
When the standart changes, I'm pretty sure, that Odin will modify their KB - article 120 083 , to meet the standart again.
 
UFHH01 said:
=> https://www.ssllabs.com/ssltest/analyze.html?d=trustwave.com

Result:

At the moment, they don't pass their own test. Could you explain, why Odin should give examples, solutions, work-arounds to different PCI - compliance - tests ( used by different companies ) , while they don't even pass their own compliance test and ....

... as you stated, they don't even respond with decent informations to THEIR desired configuration and WHY they want you to change your current configuration BEFORE 30.06.2016 ( when TLS 1.0 should not be continued to being trusted ).



No one calls you an idiot, but please be aware, that the STANDART is still to use TLS 1.0 and if you would like to secure your server a bit more, than actually suggested by Odin ( who always tries to meet the standarts! ), you should consider to use your very own solutions, which might include, that you have to do some researches or/and inform yourself about ciphers and their usage.
When the standart changes, I'm pretty sure, that Odin will modify their KB - article 120 083 , to meet the standart again.
Click to expand...

That is gold! I'm going to take that information back to Trustwave and have some fun. Thanks for the response UFHH01!
 
You must log in or register to reply here.

Similar threads

Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
4K
Mark12345
Mark12345
J
How to start your online store with WooCommerce
Replies
0
Views
3K
joerg
J
Back
Top