Plesk 12.5 PCI-DSS Trustwave TSL v1.0 Issue

[J.Wick]

First off, I have to say that after setting up a new server and migrating all our customer accounts over, that Plesk 12.5 is pretty awesome! Love the changes made to backup, that will make life a lot easier, along with the extra control over which modules are installed.

I did the migration route because of all the nightmares of the upgrade path. Migration was picky, but after all the settings were 100% accounts came over perfectly.

Also, the overall security out of the box is tight and mostly PCI Compliant, which was a nice surprise. The UI is also much faster and logical. Customers will really benefit from this!

HOWEVER, we are still failing our scan due to TLS v1.0 still being available. It would be really nice to have a button in the settings area for one click PCI-Compliance settings, or just make always compliant with every update.

So if I want to allow only TLS v1.1 and 1.2 what do I need to do on Centos 7.1?

This setting will be mandatory next May 2016, so it would be nice if something was done now, rather than later for your e-commerce host providers.

 

[Sergey L]

Would this article help?
KB Odin: [HOWTO] Disable weak SSL ciphers for PCI Complaince

 

[J.Wick]

Would this article help?
KB Odin: [HOWTO] Disable weak SSL ciphers for PCI Complaince

This apparently doesn't look like it applies to Plesk 12.5 as the nginx file doesn't contain any information for ssl_protocols or ssl_ciphers support.

Any other suggestions?

While looking around in custom/server/ I found PCI_compliance.php file with the following.

<?php if (!$VAR->server->webserver->apache->traceEnableCompliance): ?>
        TraceEnable off
<?php endif; ?>

ServerTokens ProductOnly

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
~

 

[UFHH01]

Hi SpyderZ,

is there a reason, why you opened a new thread, even that you already discussed the issue ( and possible solutions and work - arounds ) at:

http://talk.plesk.com/threads/pci-dss-compliance-fails-after-running-plesk-pci-scripts.334678/​

The main clou is ( and always will be ), to use different specific ciphers lists, as you will notice, when using the search term "intermediate" here in forum. You will find as well links to mozilla.org, who provide several examples as "modern", "intermediate" and "old backward" compatible ciphers suites.

 

[J.Wick]

Hi SpyderZ,

is there a reason, why you opened a new thread, even that you already discussed the issue ( and possible solutions and work - arounds ) at:

http://talk.plesk.com/threads/pci-dss-compliance-fails-after-running-plesk-pci-scripts.334678/​

The main clou is ( and always will be ), to use different specific ciphers lists, as you will notice, when using the search term "intermediate" here in forum. You will find as well links to mozilla.org, who provide several examples as "modern", "intermediate" and "old backward" compatible ciphers suites.

Yes, I've upgraded to Plesk 12.5 and I notice that there are some minor differences.

It would be really nice if Odin would use Trustwave in their research and development process in regards to the PCI-DSS compliance feature of Plesk. I'm paying a significant fee every month for Plesk so I don't have to waste time messing around with configuration files, researching and learning about cryptography, (which is very interesting but I don't have time for!), to make my server compliant, which the PCI script is suppose to do for me.

As it stands without any manual intervention after running the PCI_Compliance script here is what my latest TrustWave report is complaining about and knocking me out of compliance.

It would be nice to have a PCI Compliance screen in the settings of Plesk. I would like a single button push that would apply all the proper security and ciphers to pass Trustwave. If you wanted to expand on this, you could give options for custom security settings for each technology, without having to go hunt and update configuration files.

I've spent over 10+ hours researching on how to disable TLS v1.0 force TLS v1.1 or v1.2, trying different configurations and it's just not working. I'm not an idiot either, I've been administering servers and Plesk since 2004. It seems like there is a lot of confusion around this topic all over the place online. Heck, even when I consult with Trustwave on what settings should be, they can't even tell me.

Someone just needs to put a simple step-by-step guide on this that works.

 

[UFHH01]

It would be really nice if Odin would use Trustwave in their research and development process in regards to the PCI-DSS compliance feature of Plesk

As it stands without any manual intervention after running the PCI_Compliance script here is what my latest TrustWave report is complaining about and knocking me out of compliance.

=> https://www.ssllabs.com/ssltest/analyze.html?d=trustwave.com

Result:

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

At the moment, they don't pass their own test. Could you explain, why Odin should give examples, solutions, work-arounds to different PCI - compliance - tests ( used by different companies ) , while they don't even pass their own compliance test and ....

Heck, even when I consult with Trustwave on what settings should be, they can't even tell me.

... as you stated, they don't even respond with decent informations to THEIR desired configuration and WHY they want you to change your current configuration BEFORE 30.06.2016 ( when TLS 1.0 should not be continued to being trusted ).

I'm not an idiot either

No one calls you an idiot, but please be aware, that the STANDART is still to use TLS 1.0 and if you would like to secure your server a bit more, than actually suggested by Odin ( who always tries to meet the standarts! ), you should consider to use your very own solutions, which might include, that you have to do some researches or/and inform yourself about ciphers and their usage.
When the standart changes, I'm pretty sure, that Odin will modify their KB - article 120 083 , to meet the standart again.

 

[J.Wick]

=> https://www.ssllabs.com/ssltest/analyze.html?d=trustwave.com

Result:
​

At the moment, they don't pass their own test. Could you explain, why Odin should give examples, solutions, work-arounds to different PCI - compliance - tests ( used by different companies ) , while they don't even pass their own compliance test and ....

... as you stated, they don't even respond with decent informations to THEIR desired configuration and WHY they want you to change your current configuration BEFORE 30.06.2016 ( when TLS 1.0 should not be continued to being trusted ).



No one calls you an idiot, but please be aware, that the STANDART is still to use TLS 1.0 and if you would like to secure your server a bit more, than actually suggested by Odin ( who always tries to meet the standarts! ), you should consider to use your very own solutions, which might include, that you have to do some researches or/and inform yourself about ciphers and their usage.
When the standart changes, I'm pretty sure, that Odin will modify their KB - article 120 083 , to meet the standart again.

That is gold! I'm going to take that information back to Trustwave and have some fun. Thanks for the response UFHH01!