Plesk 12.5 - SSLFix.sh dh without effect?

[Squeeze999]

I am trying to fix the DH vulnerability on several servers with Ubuntu 14.04 and Debian 8 and Plesk 12.5.
Each effort I take results in an "B" on SSLlabs.com: Weak DH ciphers.

I tried the SSLFix.sh dh apache / nginx / etc. script but the result always is the same.
Also manual editing of /etc/apache2/mods-enabled/ssl.conf and /etc/nginx/plesk.conf.d/server.conf does not help. Naturally I generated new DH parameter files and restarted the services after each change.

Has anybody an idea, where the relevant config files reside?
I spent hours so far.

Regards,
Squeeze999

 

[UFHH01]

Hi Squeeze999,

you don't need to spent hours to reach your goal:

[Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback ( KB - article: 123 160 )​

In some cases you might experience issues with incompatibilities for some browser and/or eMail - clients, after you followed the KB - article 123 160. It might help to read:

SSL POODLE / SSLv3 bug ( Odin / Parallels Forum - Link )​

... to solve such issues, because there are several additional solutions provided in this thread.

 

[Squeeze999]

Hi UFHH01,

thanks a lot for your response.
I am very sorry, but KB 123160 did not really solve my problem. I did this several times before.
My problem is not the POODLE, it is the LOGJAM (DH weak ciphers) vulnerability.
I can do what I want, but there is no way to get rid of these weak DH cipher suites.
The SSLFix.sh script with the "dh" parameter is useless.

I managed it all before with Plesk 12.0.18 but after upgrading to 12.5 all my changes are gone

Best wishes

Squeeze999 from Spätzletown

 

[UFHH01]

Hi Squeeze999,

hm... you missed to read the additional thread and its posts.... what a pitty, because you would have found:

http://talk.plesk.com/threads/ssl-poodle-sslv3-bug.323338/#post-761003
or
http://talk.plesk.com/threads/ssl-poodle-sslv3-bug.323338/page-4#post-762779

Even that there are MORE solutions in the thread, for different situations and services, you will find as well your specific issue. Maybe you should give it try and start reading the thread? ^^


P.S.: In addition... if you don't tell anyone, then there is another hint here: Often enough, the SEARCH option lead to answers. In your case, you could use the search word "dhparam" ?!?

 

[Squeeze999]

Hi UFHH01,

if one has eyes to see, he should use them and if one is in the lucky situation to have learned reading, he should read!!
You're absolutely right! I managed finally to update the custom templates and earn a fat green "A" on SSLlabs.com.
If additionally HSTS is configured on Nginx and Apache and, in the domain webserver settings "Smart static files processing" is deactivated, you get an A+

Thank you very much!

Squeeze999