Issue This server accepts RC4 cipher, but only with older protocol versions

[maniot]

Hello,
I recently upgraded plesk to 12.5.30 and after checking my ssl i've been capped to "B" on ssllabs for having:This server accepts RC4 cipher, but only with older protocol versions.
I've searched the forum and the documentation but can't find how to disable RC4 cipher.
I've followed the doc: Tune Plesk to Meet PCI DSS on Linux, but with no luck, it doesn't change.

best regards,

maniot

 

[UFHH01]

Hi maniot,

pls. DESCRIBE, what you already did to solve your issue, because the documentation(s) recommend different solutions - we can not guess what you did.

Pls. post your file "/etc/sw-cp-server/conf.d/pci-compliance.conf" and ( if available! ) depending configuration files ( /etc/apache2/mods-available/ssl.conf + /etc/nginx/conf.d/ssl.conf ). Pls. note that the apache - path may differ to your system, if you use a RHEL/CentOS - based system.

 

[maniot]

Hi maniot,

pls. DESCRIBE, what you already did to solve your issue, because the documentation(s) recommend different solutions - we can not guess what you did.

Pls. post your file "/etc/sw-cp-server/conf.d/pci-compliance.conf" and ( if available! ) depending configuration files ( /etc/apache2/mods-available/ssl.conf + /etc/nginx/conf.d/ssl.conf ). Pls. note that the apache - path may differ to your system, if you use a RHEL/CentOS - based system.

hello,
I issued the command: plesk sbin pci_compliance_resolver --enable and restarted the server.
the file pci-compliance.conf doesn't exist, however there is a file called .pci-compliance.conf.swp
I'm using a Centos 6.7, so what would be the path to ssl.config?

best regards,

Maniot

 

[UFHH01]

Hi maniot,

just use for example the "locate" command, if you don't know your paths to your apache - webserver configuration files.

Example:

locate ssl.conf
​

How to install "mlocate" on CentOS:

yum -y update
yum -y install mlocate

Update the mlocate database over the command line( should be done on a daily basis, for best result to your "locate" - search! ):

updatedb
​

IF you followed the Plesk documentation at

Tune Plesk to Meet PCI DSS on Linux ( Plesk 12.5 online documentation )​

you should have noticed, that you have more options with the "server_pref utility" ( server_pref: Interface and System Preferences | Plesk 12.5. online documentation ) and as well with the "sslmng utility":

...

If you need to set specific parameters for some services, call manually the sslmng utility:

plesk sbin sslmng --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES" --protocols="TLSv1.1 TLSv1.2" --strong-dh --disable-tls-compression

Add the option "--service <some_service>" to the command above and change SSL/TLS settings of a particular service if you need.

Note: The changes made by the sslmng utility can be overwritten by the subsequent call of the server_pref utility or by Plesk update.

...

The usage of the general configuration file "/etc/sw-cp-server/conf.d/pci-compliance.conf" is described at:

http://download1.parallels.com/Ples...compliance-guide/index.htm?fileName=65871.htm​

 

[maniot]

Hi maniot,

just use for example the "locate" command, if you don't know your paths to your apache - webserver configuration files.

Example:

locate ssl.conf
​

How to install "mlocate" on CentOS:

yum -y update
yum -y install mlocate

Update the mlocate database over the command line( should be done on a daily basis, for best result to your "locate" - search! ):

updatedb
​

IF you followed the Plesk documentation at

Tune Plesk to Meet PCI DSS on Linux ( Plesk 12.5 online documentation )​

you should have noticed, that you have more options with the "server_pref utility" ( server_pref: Interface and System Preferences | Plesk 12.5. online documentation ) and as well with the "sslmng utility":

​

The usage of the general configuration file "/etc/sw-cp-server/conf.d/pci-compliance.conf" is described at:

http://download1.parallels.com/Ples...compliance-guide/index.htm?fileName=65871.htm​

Hi UFHH01,
As mentioned i'm a bit worried about the fact that the file "/etc/sw-cp-server/conf.d/pci-compliance.conf" is missing. Could you sent me the contents of that file?
I also changed the file "/etc/httpd/conf.d/ssl.conf" ,restarted the apache server and tested again on ssllabs. unfortunately the result says the same: This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B

regards,

maniot

 

[UFHH01]

Hi maniot,

I noticed, that with Plesk 12.5, there is a serious change in the configuration files to Plesk 12.0. The desired changes should be done at "/etc/sw-cp-server/conf.d/ssl.conf" ( but it is really recommended to change that over the "server_pref utility" or/and "sslmng utility", as already stated in my previous post, because other wise Plesk updates/upgrade/patches may overwrite your manual changes! ).
Pls. be as well informed, that the changes for your sw-cp-server is relevant for the Plesk Control Panel and not for your hosted domains! Plesk uses his own webserver.

When you only change the apache-webserver configuration files and don't bother to even have a look at your nginx configuration files, you might experience no changes at all after your modifications for your hosted domains, when using the combination apache+nginx. Pls. be aware that with most common used domain settings, nginx is IN FRONT of apache!


As a final information, pls. consider to read and follow as well the cipher recommendations at https://wiki.mozilla.org/Security/Server_Side_TLS .

 

[maniot]

Hi,
Still no luck. As i understood using "plesk sbin pci_compliance_resolver --enable" should create "/etc/sw-cp-server/conf.d/pci-compliance.conf" but it doesn't! however my ssl.conf files are updated. I have ngnix disabled.
My "etc/httpd/conf.d/ssl.conf" looks like:
LoadModule ssl_module modules/mod_ssl.so
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

regards,
maniot

 

[maniot]

Finally succes! I can't figure out why but after enabling nginx and using the command: "plesk sbin pci_compliance_resolver --enable" it works and RC4 cipher is no longer a problem.