port 8443 pcsync-https with medium strength SSL ciphers

[lvalics]

Anyone know if PLESK lighttpd has the SNI patch?

 

[IgorG]

Anyone know if PLESK lighttpd has the SNI patch?

No, Plesk lighttpd was not patched with it.

 

[re_kon3]

Hi - confirming that Igor's steps in #23 above did the trick to get us the rest of the way there. I added this line to the

/etc/sw-cp-server/applications.d/plesk.conf

ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

So

    include_shell "/usr/local/psa/admin/conf/ssl-conf.sh"

ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

    index-file.names = ("index.php")

and restarted the psa service.

When applying these changes under 9.3.0, psa does not restart, if I do a full stop -> start of the service it shows that it failed to start, anyone else with this issue and did they find a way around it?

# grep -C2 ssl.cipher-list /etc/sw-cp-server/applications.d/plesk.conf
$SERVER["socket"] == ":8443" {
include_shell "/usr/local/psa/admin/conf/ssl-conf.sh"
ssl.cipher-list = TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH
index-file.names = ("index.php")
server.document-root = "/usr/local/psa/admin/htdocs"
--
$SERVER["socket"] == ":8880" {
index-file.names = ("index.php")
#ssl.cipher-list = TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH
server.document-root = "/usr/local/psa/admin/htdocs"
accesslog.filename = "/usr/local/psa/admin/logs/httpsd_access_log"
# service psa status
sw-cp-serverd (pid 15952) is running...
# service psa stop
Stopping Plesk... done
Stopping mail handlers tmpfs storage
# service psa start
Starting xinetd service... done
Starting named service... done
Starting mysqld service... done
Starting postgresql service... done
Starting psa-spamassassin service... not installed
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk... failed
Starting drwebd service... not installed
#

I did try creating the following file, which seems to work with 9.5's PCI tool/script, however I still don't believe it to be working?

# cat /usr/local/psa/admin/conf/cipher.lst
DH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5
# openssl s_client -connect localhost:8443 -ssl2
CONNECTED(00000003)
write:errno=104

I was expecting a output similar to the one below?

# openssl s_client -connect localhost:443 -ssl2
CONNECTED(00000003)
21207:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
#

 

[IgorG]

Anyone know if PLESK lighttpd has the SNI patch?

According to information from developers it will be fixed after upgrade lighttpd on 1.4.26 version in Plesk 9.5.3 version.