SSL SHA-256 / TLS 1.2- & HTTP/1.1

[Roderic]

Centos 6 & Plesk 12.5 with latest updates

Hello, I've got a few clients using PayPal and they got a message from PayPal saying they need to update 2 things to keep using PayPal.

How can I upgrade the SSL Certificates to SHA-256, TLS to 1.2 and HTTP/1.1.?
And is it a good idea to upgrade TLS and HTTP to the latest version or not?

Thanks in advance

 

[eilko]

Have you checked http://download1.parallels.com/Plesk/Doc/en-US/online/plesk-pci-compliance-guide/ ?

 

[Roderic]

I have in the meanwhile and I've done everything that's in there. But I don't know if I'm good to go now.

This is what PayPal says:

• Discontinue support for secure connections that require validation with the VeriSign G2 Root Certificate; only validate with the VeriSign G5 Root Certificate.
• Use a stronger algorithm by upgrading from SHA-1 to SHA-2 (256).

Does the first point mean I just need to get another certificate? Or do I need to change something in Plesk? Bit lost on that one.. Except that I know that it is using the G2 currently.

 

[Alvin_Allen]

What this means is your SSL certificate needs to be upgraded to 2048-bit, you can have your SSL certificates re-keyed from 1024-bit to 2048-bit by the SSL provider.

 

[Lloyd_mcse]

Hi Roderic,
You need to regenerate your SSL certificate (usually free), making sure you select SHA256 as the signature algorithm and a minimum 2048Bit Public key.
This will be signed by a newer Verisign CA like the G5.

Test your connection here...

https://www.ssllabs.com/ssltest/index.html

I hope that helps
Kind regards

Lloyd

 

[Mark12345]

I'm in need of some related help. I have an A rating right now but there are some issues. SSL/TLS Server Test | High-Tech Bridge

I've used the following ssh commands to success.
# plesk bin server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'
# plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"

I get an A rating. but no PCI compliance. When I remove the TLSv1.1, I get an A+ rating with PCI compliance but also a warning that TLSv1.1 must be active to be compliant with HIPAA guidance. So, how to enable TLSv1.1 and get an A+ rating eludes me.

I then try modifying the ciphers in this file: /etc/httpd/conf.d/ssl.conf but nothing seems to change when I do that.

SSLCipherSuite EECDH+AESGCM:EECDH+AES256:EECDH+AES128:EDH+AES:RSA+AESGCM:RSA+AES:!ECDSA:!NULL:!MD5:!DSS:!3DES
SSLHonorCipherOrder on
SSLProtocol -ALL +TLSv1.1 +TLSv1.2
<IfModule mod_ssl.c>SSLCipherSuite HIGH:!aNULL:!MD5</IfModule>


Do I have to update the following files with protocols and ciphers?
/usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/custom/server/nginxVhosts.php

Server version: Apache/2.2.15 (Unix)
Plesk Onyx v17.5.3
CentOS 6.9

Thanks.