Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
TLS 1.2
- Thread starter Madness
- Start date
Yep "yum update openssl" Im Using xenforo and in the control panel its displaying that message above, apparently it only displays if your not using 1.2.
@Madness,
Just install the appropriate OpenSSL package manually, a nice procedure has been given in: https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678
After installing the OpenSSL 1.0.1s version, you should still run the command: plesk sbin pci_compliance_resolver --enable <service>
This command will not only allow TLS 1.2, but also disallow all vulnerable SSL connections (read: securing your server according to PCI compliance settings).
Note that, if you decide to apply PCI compliant settings to all services, you can simple use the "--enable flag" alone (without a service name behind it), in which case ProFtpd will also be made PCI compliant, which on it´s turn requires that you enable passive ports (just add a file called custom.conf to /etc/proftpd.d directory and add to the content the line "ServerIdent Off" and the line "PassivePorts <start port range> <end port range>", with some custom port range).
Hope the above helps a bit.
If you have questions, just let me know.
Regards......
Just install the appropriate OpenSSL package manually, a nice procedure has been given in: https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678
After installing the OpenSSL 1.0.1s version, you should still run the command: plesk sbin pci_compliance_resolver --enable <service>
This command will not only allow TLS 1.2, but also disallow all vulnerable SSL connections (read: securing your server according to PCI compliance settings).
Note that, if you decide to apply PCI compliant settings to all services, you can simple use the "--enable flag" alone (without a service name behind it), in which case ProFtpd will also be made PCI compliant, which on it´s turn requires that you enable passive ports (just add a file called custom.conf to /etc/proftpd.d directory and add to the content the line "ServerIdent Off" and the line "PassivePorts <start port range> <end port range>", with some custom port range).
Hope the above helps a bit.
If you have questions, just let me know.
Regards......
Ive updated manually from this tut https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678
Result:
openssl version
OpenSSL 1.0.1s 1 Mar 2016
but if i run this rpm -q openssl
I get openssl-1.0.1e-42.el6_7.4.x86_64
phpinfo.php also says
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
websavers
Regular Pleskian
I could be wrong about this, but I think those detection systems are checking for your raw version of OpenSSL, assuming it won't work, and not actually confirming TLS1.2 connectivity. From what I've read, it's been baked into OpenSSL versions in Redhat/CentOS systems for at least a year now. The only reason it wouldn't be obvious is because Redhat/CentOS adds essential features and security fixes by backporting them into the original system installed version number, rather than installing the new version.