Question Plesk Onyx LogJam

[Fabio C. Hansen]

Good Morning.
I looked on the web how to protect my server from the logjam vulnerability.
I found the following link (http://kb.plesk.com/Attachments/kcs-51784/SSLfix.zip) for resolution, but I saw that it is not compatible with plesk onyx. There are files in different places.
Is there any other solution for plesk onyx?

 

[IgorG]

Plesk Onyx is not vulnerable by logjam.

 

[Fabio C. Hansen]

Okay, but there are no dhparam parameters in the settings?

Postfix example:

smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_dh1024_param_file

 

[IgorG]

You can install Security Advisor extension from Extension Catalog and protect your Plesk if you afraid this and others vulnerabilities.

 

[AndreyZ]

There are actually two problems which people mean by "Logjam":

1. Logjam attack against the TLS protocol.
It can be prevented by disabling export cipher suites. They are disabled by default in OpenSSL. Neither Plesk nor default configurations of services managed by Plesk enable export cipher suites.

2. Weak Diffie-Hellman. (Threats from state-level adversaries.)
It can be prevented by configuring a Strong Diffie-Hellman Group (use standardized 2048-bit group or generate and use custom 2048-bit group). Some services managed by Plesk (e.g. `httpd`) use standardized 2048-bit group.
Also it can be mostly (for all modern clients) prevented by enabling and prioritizing (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE). All services managed by Plesk Onyx except `qmail` do this.

If you want to customize SSL/TSL configuration, you can use the following Plesk command line utilities:
- pci_compliance_resolver
- server_pref
- sslmng
You can read about them here: https://docs.plesk.com/en-US/onyx/a...ce/tune-plesk-to-meet-pci-dss-on-linux.65871/

I hope we will make SSL/TLS management more user-friendly in future Plesk releases.

 

[Fabio C. Hansen]

Thank you.
I have a possible problem, when I execute the command
plesk sbin pci_compliance_resolver --enable postfix
I get the message unable to write 'random state'.

What is it?

 

[dd360]

//sorry i have not the answer//

Logjam attack against the TLS protocol.
It can be prevented by disabling export cipher suites.

"LogJam" is deeply right /- today i finished "the small fight" /- get both streiths ‪Ubuntu 16.04.1 LTS‬ and Plesk Onyx 17.0.17 to their almost 'fast' perfect partnership / second time...4days / But that was basically my fall

"LogJam" Yeah right words! / had tried smallest fitting for Ubuntu16, failed later a bit for g2UP2g/ by doing rest cnfg stuff, i had in one terminal always looking for fails :# journalctl -xe
saw the beginning on/for my really "LogJam-KeyJail-sGame" today my logs look like a really hard Battlefield from smooth beginning to Deathmatch till ~ Silence ´/

 

[AndreyZ]

I have a possible problem, when I execute the command
plesk sbin pci_compliance_resolver --enable postfix
I get the message unable to write 'random state'.

What is it?

OpenSSL writes this message when cannot write default seeding file: https://www.openssl.org/docs/faq.html#USER2
You can ignore it, because openssl does not need to use default seeding file on Linux, because /dev/urandom is available.

So, this is small bug in OpenSSL. We will document and maybe work around it.