Resolved This server is vulnerable to the DROWN attack.

[esounds]

Hi

I used the Let's Encrypt extension to install several SSL certs on my Plesk 12.5.30 Update #67, last updated at June 2, 2017 on CentOS6.6.

All seems fine until I run a SSL server test with www.ssllabs.com

I have fixed one issue ("OpenSSL Padding Oracle vulnerability (CVE20162107)") by updating openssl (yum update openssl) to the latest version.

I am still facing the "This server is vulnerable to the DROWN attack" issue. Did anybody have similar problems?

Thanks.

 

[UFHH01]

Hi esounds,

pls. read and follow: => CVE-2016-0800: Exploit in SSLv2


In addition, pls. consider to use as well the free Plesk Extension: => Security Advisor - Plesk Extensions

 

[esounds]

Lieber UFHH01, danke fuer die Antwort.

I have updated centOS 6.6 to 6.9 and no further apdates are available for centOS or openssl. I have also installed the Security Advisor, I think this could be handy in to have in time to come. Thank you.

I have removed all my Let's Encrypt certs and my Let's Encrypt extension and reinstalled the Let's Encrypt extension and just one Let's Encrypt cert. Running the ssllabs.com still gives the "This server is vulnerable to the DROWN attack" issue. The "Protocol Details" - "DROWN" section show an IP address with status "Vulnerable (same key with SSL v2)". The report also states "TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3 No SSL 2 No". I had the same issues on all Let's Encrypt certs installed on this server, even with two different IP addresses.

I also removed all ssl_ciphers except one. This showed in the ssllabs report but still didn't solve this issue.

The report also shows a Certificate #2: RSA 2048 bits (SHA1withRSA), which I believe is the Plesk default certificate. I tried to remove this, so I am only left with the Let's Encrypt certs, but have no option to do so.

I tried to follow: => CVE-2016-0800: Exploit in SSLv2. But the only information I get from this is to update the OS, update openSSL, disable SSLv1 & SSLv2, and remove unsecure ssl_ciphers. Did I miss-out on something?

Would be great if you could revisit my issue.

Many thanks.

 

[UFHH01]

Hi esounds,

the clou is indeed to use secure and recommended ciphers, after you made sure, that you updated/upgraded your OS and the depending packages. Pls. note, that you are not only able to define SSL - certificates for the domains, but as well for your IP(s) on your server ( pls. see => HOME > Tools & Settings > IP Addresses )

Pls. visit for example => Generate Mozilla Security Recommended Web Server Configuration Files , which helps you to choose decent ciphers lists ( I recommend "Intermediate" ) and don't forget to read as well: => Tune Plesk to Meet PCI DSS on Linux , so that you are able to configure the recommended configuration files and in order to be able to investigate your current settings.


If you need further help, it is essential to provide the FQDN and corresponding configuration files ( apache AND nginx and don't forget the domain specific configuration files! ), so that people willing to help you have the chance to investigate your issues/errors/problems.

 

[esounds]

Hi UFHH01

Thank you for your reply.

I reviewed your links, run "plesk sbin pci_compliance_resolver --enable" and done a reboot. Still no choice.

Your hint to IP addresses made me look again at the default cert. I tried to remove this one before, but couldn't unless I provide an alternative. Didn't want to buy one and couldn't get a free option for an IP address cert. However, this morning I added a Self-Sign cert for another domain and set this one as the default cert. I could now remove the default cert that was pre-installed and happy days - we have an A rating now.

Really appreciated the time you took to listen to me and I found the links you mentioned very helpful. The pci_compliance_resolver gave me also a bit of "Peace of Mind".

Vielen Dank