• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Plesk 12: BEAST and other SSL vulnerabilities

S

Stuart1

New Pleskian
I recently changed my SSL Certs for SHA-2 and while I was generating Certs from my provider they prompted me to Scan for SSL vulnerabilities and 3 warning came up.
  1. Sessions may be vulnerable to BEAST attack
  2. Server does not have session resumption enabled
  3. Server has not enabled HTTP Strict-Transport-Security
So my question is how do we fix these issues, I tried following some guides but Plesk has a different setup, since the CP generates .Conf automatically.

Any suggestions will be appreciated. If you want to test your SSL for these and other issues, I used: https://sslcheck.globalsign.com/
 
Hi Stuart1,

you might be as well interested in this thread:


... because there are as well several different modifications mentioned, which might help you to secure your server without loosing compatibilty for browsers or mail - clients in some cases.
 
I managed to solve the issue with this -> http://kb.odin.com/en/123160 <- article by running the script
  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
But your right now I have no email :D so thanks for pointing that out.

--

Resolved the issue using /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
 
Last edited:
Hi Stuart1,

the possible vulnerability depends on the used ciphers on your system. Please consider removing any "CBC mode ciphers", if you don't already use a recommended cipher list.

As mentioned in the above forum thread, I still recommend the usage of the "Intermediate compatibility" solution from mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ):

Code: 
For Apache:

...
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
...


For NGINX:

...
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
...
 
Hello:

For months I followed the steps in http://kb.odin.com/en/123160 solving the Heartbleed, Poodle (TLS) and Poodle (SSLv3) vulnerability.
Aften I check that there is no security problem on my server. Today I rechecked domains with SSL certificate and test tools tell me that I have a vulnerability BEAST.

I have read enough about it but can not find where it may be the problem.

My server:
OS: Debian 7.9
Plesk version: 12.0.18 Update #77, last updated at Feb 20, 2016 06:37 AM

Could you help me please?
Thanks a lot.
 
You must log in or register to reply here.

Similar threads

I
Issue Issue with user Certs in Plesk 17, Apache and Nginx
Replies
0
Views
712
IsmaelDSC
I
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
2K
tessa67
T
J.Wick
Issue External Email Stopped Working after Upgrading to Plesk Obsidian 18.0.70 Update #2
Replies
1
Views
448
J.Wick
J.Wick
Heinrich
Resolved node.js configuration in PLESK Obsidian 18.0.67 Update Nr. 3
Replies
3
Views
1K
alvarezcruz
alvarezcruz
S
Question Security audit mentions SSL Session Resumption being enabled, can't find this setting
Replies
0
Views
890
Silvh
S
Back
Top