• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue This server accepts RC4 cipher, but only with older protocol versions

M

maniot

New Pleskian
Hello,
I recently upgraded plesk to 12.5.30 and after checking my ssl i've been capped to "B" on ssllabs for having:This server accepts RC4 cipher, but only with older protocol versions.
I've searched the forum and the documentation but can't find how to disable RC4 cipher.
I've followed the doc: Tune Plesk to Meet PCI DSS on Linux, but with no luck, it doesn't change.

best regards,

maniot
 
Hi maniot,

pls. DESCRIBE, what you already did to solve your issue, because the documentation(s) recommend different solutions - we can not guess what you did.

Pls. post your file "/etc/sw-cp-server/conf.d/pci-compliance.conf" and ( if available! ) depending configuration files ( /etc/apache2/mods-available/ssl.conf + /etc/nginx/conf.d/ssl.conf ). Pls. note that the apache - path may differ to your system, if you use a RHEL/CentOS - based system.
 
UFHH01 said:
Hi maniot,

pls. DESCRIBE, what you already did to solve your issue, because the documentation(s) recommend different solutions - we can not guess what you did.

Pls. post your file "/etc/sw-cp-server/conf.d/pci-compliance.conf" and ( if available! ) depending configuration files ( /etc/apache2/mods-available/ssl.conf + /etc/nginx/conf.d/ssl.conf ). Pls. note that the apache - path may differ to your system, if you use a RHEL/CentOS - based system.
Click to expand...

hello,
I issued the command: plesk sbin pci_compliance_resolver --enable and restarted the server.
the file pci-compliance.conf doesn't exist, however there is a file called .pci-compliance.conf.swp
I'm using a Centos 6.7, so what would be the path to ssl.config?

best regards,

Maniot
 
Hi maniot,

just use for example the "locate" command, if you don't know your paths to your apache - webserver configuration files.

Example:

locate ssl.conf


How to install "mlocate" on CentOS:

yum -y update
yum -y install mlocate

Update the mlocate database over the command line( should be done on a daily basis, for best result to your "locate" - search! ):

updatedb


IF you followed the Plesk documentation at


you should have noticed, that you have more options with the "server_pref utility" ( server_pref: Interface and System Preferences | Plesk 12.5. online documentation ) and as well with the "sslmng utility":

...

If you need to set specific parameters for some services, call manually the sslmng utility:

Code: 
plesk sbin sslmng --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES" --protocols="TLSv1.1 TLSv1.2" --strong-dh --disable-tls-compression

Add the option "--service <some_service>" to the command above and change SSL/TLS settings of a particular service if you need.

Note: The changes made by the sslmng utility can be overwritten by the subsequent call of the server_pref utility or by Plesk update.

...
Click to expand...



The usage of the general configuration file "/etc/sw-cp-server/conf.d/pci-compliance.conf" is described at:

 
UFHH01 said:
Hi maniot,

just use for example the "locate" command, if you don't know your paths to your apache - webserver configuration files.
Example:

locate ssl.conf


How to install "mlocate" on CentOS:

yum -y update
yum -y install mlocate

Update the mlocate database over the command line( should be done on a daily basis, for best result to your "locate" - search! ):

updatedb


IF you followed the Plesk documentation at


you should have noticed, that you have more options with the "server_pref utility" ( server_pref: Interface and System Preferences | Plesk 12.5. online documentation ) and as well with the "sslmng utility":




The usage of the general configuration file "/etc/sw-cp-server/conf.d/pci-compliance.conf" is described at:

Click to expand...
Hi UFHH01,
As mentioned i'm a bit worried about the fact that the file "/etc/sw-cp-server/conf.d/pci-compliance.conf" is missing. Could you sent me the contents of that file?
I also changed the file "/etc/httpd/conf.d/ssl.conf" ,restarted the apache server and tested again on ssllabs. unfortunately the result says the same: This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B

regards,

maniot
 
Hi maniot,

I noticed, that with Plesk 12.5, there is a serious change in the configuration files to Plesk 12.0. The desired changes should be done at "/etc/sw-cp-server/conf.d/ssl.conf" ( but it is really recommended to change that over the "server_pref utility" or/and "sslmng utility", as already stated in my previous post, because other wise Plesk updates/upgrade/patches may overwrite your manual changes! ).
Pls. be as well informed, that the changes for your sw-cp-server is relevant for the Plesk Control Panel and not for your hosted domains! Plesk uses his own webserver.

When you only change the apache-webserver configuration files and don't bother to even have a look at your nginx configuration files, you might experience no changes at all after your modifications for your hosted domains, when using the combination apache+nginx. Pls. be aware that with most common used domain settings, nginx is IN FRONT of apache!


As a final information, pls. consider to read and follow as well the cipher recommendations at https://wiki.mozilla.org/Security/Server_Side_TLS .
 
Last edited by a moderator:
Hi,
Still no luck. As i understood using "plesk sbin pci_compliance_resolver --enable" should create "/etc/sw-cp-server/conf.d/pci-compliance.conf" but it doesn't! however my ssl.conf files are updated. I have ngnix disabled.
My "etc/httpd/conf.d/ssl.conf" looks like:
LoadModule ssl_module modules/mod_ssl.so
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

regards,
maniot
 
Finally succes! I can't figure out why but after enabling nginx and using the command: "plesk sbin pci_compliance_resolver --enable" it works and RC4 cipher is no longer a problem.
 
You must log in or register to reply here.

Similar threads

S
Issue TLS1.2 Weak Cipher Suites SSL Labs
Replies
9
Views
5K
blueberry
blueberry
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
4K
Mark12345
Mark12345
Edward Dekker
  • Poll
Input Make your server more PCI compliant and update your TLS/Ciphersuites
Replies
2
Views
2K
Edward Dekker
Edward Dekker
S
SSL Cipher strenght RC4
Replies
3
Views
6K
UFHH01
U
Dukemaster
Input PLESK reaches the stars with only Nginx + HSTS (390%)
Replies
1
Views
2K
mr-wolf
M
Back
Top