• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk 12: BEAST and other SSL vulnerabilities

S

Stuart1

New Pleskian
I recently changed my SSL Certs for SHA-2 and while I was generating Certs from my provider they prompted me to Scan for SSL vulnerabilities and 3 warning came up.
  1. Sessions may be vulnerable to BEAST attack
  2. Server does not have session resumption enabled
  3. Server has not enabled HTTP Strict-Transport-Security
So my question is how do we fix these issues, I tried following some guides but Plesk has a different setup, since the CP generates .Conf automatically.

Any suggestions will be appreciated. If you want to test your SSL for these and other issues, I used: https://sslcheck.globalsign.com/
 
Hi Stuart1,

you might be as well interested in this thread:


... because there are as well several different modifications mentioned, which might help you to secure your server without loosing compatibilty for browsers or mail - clients in some cases.
 
I managed to solve the issue with this -> http://kb.odin.com/en/123160 <- article by running the script
  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
But your right now I have no email :D so thanks for pointing that out.

--

Resolved the issue using /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
 
Last edited:
Hi Stuart1,

the possible vulnerability depends on the used ciphers on your system. Please consider removing any "CBC mode ciphers", if you don't already use a recommended cipher list.

As mentioned in the above forum thread, I still recommend the usage of the "Intermediate compatibility" solution from mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ):

Code: 
For Apache:

...
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
...


For NGINX:

...
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
...
 
Hello:

For months I followed the steps in http://kb.odin.com/en/123160 solving the Heartbleed, Poodle (TLS) and Poodle (SSLv3) vulnerability.
Aften I check that there is no security problem on my server. Today I rechecked domains with SSL certificate and test tools tell me that I have a vulnerability BEAST.

I have read enough about it but can not find where it may be the problem.

My server:
OS: Debian 7.9
Plesk version: 12.0.18 Update #77, last updated at Feb 20, 2016 06:37 AM

Could you help me please?
Thanks a lot.
 
You must log in or register to reply here.

Similar threads

L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
532
Leta
L
Daerik
Issue Error Upgrading Plesk Obsidian 18.0.63 to 18.0.64: HTTPS Error 404 - Not Found (MaxScale Repo)
Replies
6
Views
863
Daerik
Daerik
kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
1K
kaw.one
kaw.one
H
Resolved Wildcard SSL Certificate Auto Renewals not Working for Let's Encrypt with External DNS
Replies
6
Views
6K
NickSick
N
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
3K
iainh
I
Back
Top