• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Plesk Onyx LogJam

Okay, but there are no dhparam parameters in the settings?

Postfix example:

smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_dh1024_param_file
 
Last edited:
You can install Security Advisor extension from Extension Catalog and protect your Plesk if you afraid this and others vulnerabilities.
 
There are actually two problems which people mean by "Logjam":

1. Logjam attack against the TLS protocol.
It can be prevented by disabling export cipher suites. They are disabled by default in OpenSSL. Neither Plesk nor default configurations of services managed by Plesk enable export cipher suites.

2. Weak Diffie-Hellman. (Threats from state-level adversaries.)
It can be prevented by configuring a Strong Diffie-Hellman Group (use standardized 2048-bit group or generate and use custom 2048-bit group). Some services managed by Plesk (e.g. `httpd`) use standardized 2048-bit group.
Also it can be mostly (for all modern clients) prevented by enabling and prioritizing (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE). All services managed by Plesk Onyx except `qmail` do this.

If you want to customize SSL/TSL configuration, you can use the following Plesk command line utilities:
- pci_compliance_resolver
- server_pref
- sslmng
You can read about them here: https://docs.plesk.com/en-US/onyx/a...ce/tune-plesk-to-meet-pci-dss-on-linux.65871/

I hope we will make SSL/TLS management more user-friendly in future Plesk releases.
 
Thank you.
I have a possible problem, when I execute the command
plesk sbin pci_compliance_resolver --enable postfix
I get the message unable to write 'random state'.

What is it?
 
//sorry i have not the answer//
Logjam attack against the TLS protocol.
It can be prevented by disabling export cipher suites.
"LogJam" is deeply right /- today i finished "the small fight" /- get both streiths ‪Ubuntu 16.04.1 LTS‬ and Plesk Onyx 17.0.17 to their almost 'fast' perfect partnership / second time...4days / But that was basically my fall

"LogJam" Yeah right words! / had tried smallest fitting for Ubuntu16, failed later a bit for g2UP2g/ by doing rest cnfg stuff, i had in one terminal always looking for fails :# journalctl -xe
saw the beginning on/for my really "LogJam-KeyJail-sGame" today :) my logs look like a really hard Battlefield from smooth beginning to Deathmatch till ~ Silence :)´/
 
I have a possible problem, when I execute the command
plesk sbin pci_compliance_resolver --enable postfix
I get the message unable to write 'random state'.

What is it?

OpenSSL writes this message when cannot write default seeding file: https://www.openssl.org/docs/faq.html#USER2
You can ignore it, because openssl does not need to use default seeding file on Linux, because /dev/urandom is available.

So, this is small bug in OpenSSL. We will document and maybe work around it.
 
Back
Top