• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plesk 12: BEAST and other SSL vulnerabilities

S

Stuart1

New Pleskian
I recently changed my SSL Certs for SHA-2 and while I was generating Certs from my provider they prompted me to Scan for SSL vulnerabilities and 3 warning came up.
  1. Sessions may be vulnerable to BEAST attack
  2. Server does not have session resumption enabled
  3. Server has not enabled HTTP Strict-Transport-Security
So my question is how do we fix these issues, I tried following some guides but Plesk has a different setup, since the CP generates .Conf automatically.

Any suggestions will be appreciated. If you want to test your SSL for these and other issues, I used: https://sslcheck.globalsign.com/
 
Hi Stuart1,

you might be as well interested in this thread:


... because there are as well several different modifications mentioned, which might help you to secure your server without loosing compatibilty for browsers or mail - clients in some cases.
 
I managed to solve the issue with this -> http://kb.odin.com/en/123160 <- article by running the script
  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
But your right now I have no email :D so thanks for pointing that out.

--

Resolved the issue using /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
 
Last edited:
Hi Stuart1,

the possible vulnerability depends on the used ciphers on your system. Please consider removing any "CBC mode ciphers", if you don't already use a recommended cipher list.

As mentioned in the above forum thread, I still recommend the usage of the "Intermediate compatibility" solution from mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ):

Code: 
For Apache:

...
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
...


For NGINX:

...
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
...
 
Hello:

For months I followed the steps in http://kb.odin.com/en/123160 solving the Heartbleed, Poodle (TLS) and Poodle (SSLv3) vulnerability.
Aften I check that there is no security problem on my server. Today I rechecked domains with SSL certificate and test tools tell me that I have a vulnerability BEAST.

I have read enough about it but can not find where it may be the problem.

My server:
OS: Debian 7.9
Plesk version: 12.0.18 Update #77, last updated at Feb 20, 2016 06:37 AM

Could you help me please?
Thanks a lot.
 
You must log in or register to reply here.

Similar threads

kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
654
kaw.one
kaw.one
H
Resolved Wildcard SSL Certificate Auto Renewals not Working for Let's Encrypt with External DNS
Replies
6
Views
4K
NickSick
N
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
marvin
Issue IMAP requires security certificate? Maybe?
2 3
Replies
40
Views
4K
Peter Debik
P
andreios
Issue Auto renew of wildcard cert. fails because Plesk doesn't apply DNS template changes
Replies
8
Views
2K
andreios
andreios
Back
Top