Facebook
Twitter
Please look at this KB article - http://kb.odin.com/en/123160
-
We value your experience with Plesk during 2024
Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
Please take this short survey:
https://pt-research.typeform.com/to/AmZvSXkx -
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
-
We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.
SSL POODLE / SSLv3 bug
- Thread starter Tsi-Shawn
- Start date
Fritz MichaelG
Basic Pleskian
This article says:
But it doesn't say where to find the configuration file (since the article applies to both Linux and Windows, I presume).
Where do I find the config file for Apache under Linux?
Find it here - http://kb.odin.com/en/111283
Fritz MichaelG
Basic Pleskian
I found it. It's under /etc/apache2/mods-available/ssl.conf
The article you linked does not mention the location of the global SSL config for Apache. However, it does mention that the config files (under Debian etc.) are somewhere inside /etc/apache2
IgorG, in http://kb.odin.com/en/123160 there is no information about securing the Plesk Web Server itself. Why?
I patched it by adding
to the /etc/sw-cp-server/conf.d/plesk.conf file and restarting the Plesk Web Server afterwards:
Is this correct?
I patched it by adding
Code:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Code:
/etc/init.d/sw-cp-server restartI would also appreciate a little more clarity on implementing this fix, including locations of all the relevant files, so we can be sure that config rebuilds or micro-updates don't overwrite the changes. Also, clarification on how to ensure that Plesk Panel itself is "fixed".
Does anyone knows how to patch the Plesk Web Server for Plesk 11.0? My previous post only works for Plesk 11.5 or newer.
Update: http://kb.odin.com/en/123160 now (finally) provides a solution for both Plesk 11.0 and 11.5/12 servers:
Plesk 11.5 and later
Edit '/etc/sw-cp-server/config', add
Restart:
Plesk 11.0
Edit /usr/local/psa/admin/conf/ssl-conf.sh, add the echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive, so it should looks alike:
Restart:
Plesk 11.5 and later
Edit '/etc/sw-cp-server/config', add
Code:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Code:
sudo service sw-cp-server restartEdit /usr/local/psa/admin/conf/ssl-conf.sh, add the echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive, so it should looks alike:
Code:
echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'`
echo 'ssl.use-sslv3 = "disable"'Restart:
Code:
sudo service sw-cp-server restartI would still like to know if, at some point in the near future, Parallels will be releasing a patch/update for this issue, making the necessary changes to the various config files.
The paths for the NGINX configuration .php files in the KB article are still incorrect (for Plesk 12 anyway).
They are:
It's also a little surprising that Parallels are recommending editing the 'default' templates. Is it not possible that a future micro-update that does not include a fix for POODLE might over write these changes?
I have followed the advice given in this thread and copied to a "custom" directory, and edited as suggested.
It would be good to get official notification from Parallels when this fix is implemented in the "default" templates, so we can remove the "custom" ones.
Apart from these differences, I have followed the instructions as per KB 123160 and my servers now check out fine and are not vulnerable to POODLE. I've implemented the changes for APACHE, NGINX, POSTFIX and SW-CP-SERVER (I don't run DOVECOT or COURIER).
Thanks to all contributors to this thread, and Parallels for their assistance and guidance.
/usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/nginxVhosts.php
/usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/nginxVhosts.php
They are:
/usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php
It's also a little surprising that Parallels are recommending editing the 'default' templates. Is it not possible that a future micro-update that does not include a fix for POODLE might over write these changes?
I have followed the advice given in this thread and copied to a "custom" directory, and edited as suggested.
/usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/custom/server/nginxVhosts.php
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/custom/server/nginxVhosts.php
It would be good to get official notification from Parallels when this fix is implemented in the "default" templates, so we can remove the "custom" ones.
Apart from these differences, I have followed the instructions as per KB 123160 and my servers now check out fine and are not vulnerable to POODLE. I've implemented the changes for APACHE, NGINX, POSTFIX and SW-CP-SERVER (I don't run DOVECOT or COURIER).
Thanks to all contributors to this thread, and Parallels for their assistance and guidance.
We have updated KB article http://kb.odin.com/en/123160 regarding sw-cp-server.
pleskpanel
Regular Pleskian
Igor, can we expect to see an upcoming MU to address this in the near future? If it's just a few days away (or in an upcoming MU) it would be great to know.
After applying the recommend changes to Courier IMAP/POP files users who access mail via SSL are unable to connect to the server - the following errors occur in the mail client:
The server shows these errors in the maillog file:
Has anyone else seen this and do you know how to fix this?
Code:
There may be a problem with the mail server or network. Verify the settings for account or try again. The server returned the error: The connection to the server “www.domain.com” on port 993 timed out.The server shows these errors in the maillog file:
Code:
Oct 18 07:51:02 hostname courier-pop3s: couriertls: accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Oct 18 07:51:12 hostname courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipherHas anyone else seen this and do you know how to fix this?
Which e-mail client and version is being used?
I would also like to know.
The mail client is Mail on iOS 7 and also Mail on the Mac (don't know specific version on Mac).
Anyone else tried secure POP/IMAP after applying the recommended changes?
J.Wick
Regular Pleskian
I'm still having issues after running the scripts to patch everything with NGINX on Port 7081
xxx.xxx.97.234:7081 - Vulnerable! SSLv3 connection established using SSLv3/DHE-RSA-AES256-SHA
I've tried modifying the nginx.conf file but still shows vulnerable.
Anyone have any ideas? Pulling my hair on this one.
xxx.xxx.97.234:7081 - Vulnerable! SSLv3 connection established using SSLv3/DHE-RSA-AES256-SHA
I've tried modifying the nginx.conf file but still shows vulnerable.
Anyone have any ideas? Pulling my hair on this one.
