Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
SSL POODLE / SSLv3 bug
- Thread starter Tsi-Shawn
- Start date
I have one more question on this. Hopefully someone can advise.
If i'm running 11.5.3 with the described fixes in place and then I upgrade to Plesk 12, are all of these tweaks going to be overwritten?
i.e: will I need to either run the Poodle script again or manually configure protocols again after the update?
Thanks!
If i'm running 11.5.3 with the described fixes in place and then I upgrade to Plesk 12, are all of these tweaks going to be overwritten?
i.e: will I need to either run the Poodle script again or manually configure protocols again after the update?
Thanks!
U
UFHH01
Guest
Well, in case you have some own custom modifications to configurations files, which are not templates ( and not custom templates to be specific ) and which are not changes recommended by Parallels over their knowledge base, well yes... in this case it might be possible that your own custom modifications could be overwritten by Plesk patches/updates/upgrades, I'm afraid. But.... and here comes the good part 
... :
Plesk has a so called "Plesk configuration file monitor ( cfgmon )" and stores changed versions at: "/var/lib/plesk/cfgmon" If you would like to restore one of these files, you can use the command:
... :Plesk has a so called "Plesk configuration file monitor ( cfgmon )" and stores changed versions at: "/var/lib/plesk/cfgmon" If you would like to restore one of these files, you can use the command:
cp /var/lib/plesk/cfgmon/NAME_OF_THE_FILE_INCLUDING_DATE_AND_TIME /location/of/the/desired/path/NAME_OF_THE_FILE
I'm running Plesk Linux 12.0.18 Update #27.
I see that the default nginx configuration scripts (/usr/local/psa/admin/conf/templates/default/server/ ... have been updated with:
Does this mean we can remove the /usr/local/psa/admin/conf/templates/custom/ ... files as created earlier and rebuild the web config?
I haven't located where the 'disablesslv3' is set.
Thanks for your help.
I see that the default nginx configuration scripts (/usr/local/psa/admin/conf/templates/default/server/ ... have been updated with:
Code:
<?php if (get_param('disablesslv3')): ?>
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
<?php endif ?>
<?php endif ?>Does this mean we can remove the /usr/local/psa/admin/conf/templates/custom/ ... files as created earlier and rebuild the web config?
I haven't located where the 'disablesslv3' is set.
Thanks for your help.
The solution is here : http://talk.plesk.com/threads/new-plesk-12-install-has-poodle-unpatched.331094/#post-772948
Hello Guys,
First sry for my bad english.
I have a similiar Problem i am not able to connect IMAP/POP, ... on Plesk 12 (Debian) with a Mailclient.
In the errorlogs i get the following entry:
"courier-pop3s: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"
I am not so the server specialist can maybe explain me how i can get a connection over mailclient (webmail works for receiving and sending mails)
Thanks
EDIT: Solved
First sry for my bad english.
I have a similiar Problem i am not able to connect IMAP/POP, ... on Plesk 12 (Debian) with a Mailclient.
In the errorlogs i get the following entry:
"courier-pop3s: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"
I am not so the server specialist can maybe explain me how i can get a connection over mailclient (webmail works for receiving and sending mails)
Thanks
EDIT: Solved
Last edited:
This is very helpful for hardening server against POODLE and LOGJAM -- thanks!
However, it seems that the need to create custom templates (to add the ssl_ciphers updates and ssl_dhparam parameters) creates another problem ... as Plesk deploys updates that include changes to these web configuration templates, we would need to check if these files are modified and then merge them with our /custom template versions -- hardly a very elegant solution -- in order to patch for one problem, we are blocking our server from receiving future patches.
Is there a better way?
@gbotica,
You stated
And yep, there is a simple, better and update-proof way: do not fiddle with templates, (custom) configure Nginx!
Just add a custom .conf file to /etc/nginx/conf.d/, for instance ssl-custom.conf.
Note that the file ssl.conf already exists and that your custom directives have to be somewhat adjusted.
The ssl.conf file contains the following lines by default:
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
The ssl-custom.conf file should hence include the lines:
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_dhparam <location of .pem file>;
and one could also include the cipher suite in this ssl-custom.conf file (uncomment the ssl_ciphers in ssl.conf) or adjust the cipher suite in ssl.conf.
Please be aware of the caveats of the approach to adopt a Ephemeral Diffie-Hellmann (DHE) key exchange process by implementing the ssl_dhparam directive:
a) a potential conflict with standard ssl related nginx directives,
b) a heavy punishment, in terms of performance,
c) a necessity to create an elaborate cipher suite, that has to become even more extensive when wanting to allow for backwards compatibility,
d) some versions of OpenSSL (i.e. the standard versions) do not return the required or some of the required algorithms,
e) certificates and keys have to be perfectly aligned: nginx relies on OpenSSL and the "danger" of the default 1024-bit OpenSSL key for key exchange exists, in the sense that security of a 2048-bit certificate can be comprised, if the default 1024-bit key is used by mistake,
and the above caveats are only the most important ones.
In conclusion, if you really want to implement the ssl_dhparam directive, generate a stronger DHE parameter that is in line with the certificate being used.
And in the current solution proposed, nobody seems to hint to the dangers of using default OpenSSL keys with, for instance, 2048-bit certificates.
In my humble opinion, good ideas and solutions should be implemented well and I am asking openly whether this is the way forward to hardening Nginx SSL/TLS configuration.
Anyway, the idea behind PFS (Perfect Forward Secrecy) is excellent, I am in favour of DHE key exchange.
Regards....
You stated
And yep, there is a simple, better and update-proof way: do not fiddle with templates, (custom) configure Nginx!
Just add a custom .conf file to /etc/nginx/conf.d/, for instance ssl-custom.conf.
Note that the file ssl.conf already exists and that your custom directives have to be somewhat adjusted.
The ssl.conf file contains the following lines by default:
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
The ssl-custom.conf file should hence include the lines:
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_dhparam <location of .pem file>;
and one could also include the cipher suite in this ssl-custom.conf file (uncomment the ssl_ciphers in ssl.conf) or adjust the cipher suite in ssl.conf.
Please be aware of the caveats of the approach to adopt a Ephemeral Diffie-Hellmann (DHE) key exchange process by implementing the ssl_dhparam directive:
a) a potential conflict with standard ssl related nginx directives,
b) a heavy punishment, in terms of performance,
c) a necessity to create an elaborate cipher suite, that has to become even more extensive when wanting to allow for backwards compatibility,
d) some versions of OpenSSL (i.e. the standard versions) do not return the required or some of the required algorithms,
e) certificates and keys have to be perfectly aligned: nginx relies on OpenSSL and the "danger" of the default 1024-bit OpenSSL key for key exchange exists, in the sense that security of a 2048-bit certificate can be comprised, if the default 1024-bit key is used by mistake,
and the above caveats are only the most important ones.
In conclusion, if you really want to implement the ssl_dhparam directive, generate a stronger DHE parameter that is in line with the certificate being used.
And in the current solution proposed, nobody seems to hint to the dangers of using default OpenSSL keys with, for instance, 2048-bit certificates.
In my humble opinion, good ideas and solutions should be implemented well and I am asking openly whether this is the way forward to hardening Nginx SSL/TLS configuration.
Anyway, the idea behind PFS (Perfect Forward Secrecy) is excellent, I am in favour of DHE key exchange.
Regards....
