• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk 12: BEAST and other SSL vulnerabilities

S

Stuart1

New Pleskian
I recently changed my SSL Certs for SHA-2 and while I was generating Certs from my provider they prompted me to Scan for SSL vulnerabilities and 3 warning came up.
  1. Sessions may be vulnerable to BEAST attack
  2. Server does not have session resumption enabled
  3. Server has not enabled HTTP Strict-Transport-Security
So my question is how do we fix these issues, I tried following some guides but Plesk has a different setup, since the CP generates .Conf automatically.

Any suggestions will be appreciated. If you want to test your SSL for these and other issues, I used: https://sslcheck.globalsign.com/
 
Hi Stuart1,

you might be as well interested in this thread:


... because there are as well several different modifications mentioned, which might help you to secure your server without loosing compatibilty for browsers or mail - clients in some cases.
 
I managed to solve the issue with this -> http://kb.odin.com/en/123160 <- article by running the script
  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
But your right now I have no email :D so thanks for pointing that out.

--

Resolved the issue using /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
 
Last edited:
Hi Stuart1,

the possible vulnerability depends on the used ciphers on your system. Please consider removing any "CBC mode ciphers", if you don't already use a recommended cipher list.

As mentioned in the above forum thread, I still recommend the usage of the "Intermediate compatibility" solution from mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ):

Code: 
For Apache:

...
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
...


For NGINX:

...
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
...
 
Hello:

For months I followed the steps in http://kb.odin.com/en/123160 solving the Heartbleed, Poodle (TLS) and Poodle (SSLv3) vulnerability.
Aften I check that there is no security problem on my server. Today I rechecked domains with SSL certificate and test tools tell me that I have a vulnerability BEAST.

I have read enough about it but can not find where it may be the problem.

My server:
OS: Debian 7.9
Plesk version: 12.0.18 Update #77, last updated at Feb 20, 2016 06:37 AM

Could you help me please?
Thanks a lot.
 
You must log in or register to reply here.

Similar threads

I
Issue Issue with user Certs in Plesk 17, Apache and Nginx
Replies
0
Views
283
IsmaelDSC
I
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
2K
tessa67
T
Heinrich
Resolved node.js configuration in PLESK Obsidian 18.0.67 Update Nr. 3
Replies
3
Views
407
alvarezcruz
alvarezcruz
S
Question Security audit mentions SSL Session Resumption being enabled, can't find this setting
Replies
0
Views
799
Silvh
S
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
2K
Leta
L
Back
Top