• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

TLS 1.2

Madness

Basic Pleskian
Apparently i need to update TLS 1.2 for paypal and my server does not have the required SSL libraries to support this.

CentOS 6.6 (Final)

Can anyone please walk me through this or shoot me a link to a tut.

any help is much appreciated
 
TLS 1.2 should be supported by the installed system OpenSSL binaries as long as you've kept 'em updated via yum.
 
TLS 1.2 should be supported by the installed system OpenSSL binaries as long as you've kept 'em updated via yum.

Yep "yum update openssl" Im Using xenforo and in the control panel its displaying that message above, apparently it only displays if your not using 1.2.
 
@Madness,

Just install the appropriate OpenSSL package manually, a nice procedure has been given in: https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678

After installing the OpenSSL 1.0.1s version, you should still run the command: plesk sbin pci_compliance_resolver --enable <service>

This command will not only allow TLS 1.2, but also disallow all vulnerable SSL connections (read: securing your server according to PCI compliance settings).

Note that, if you decide to apply PCI compliant settings to all services, you can simple use the "--enable flag" alone (without a service name behind it), in which case ProFtpd will also be made PCI compliant, which on it´s turn requires that you enable passive ports (just add a file called custom.conf to /etc/proftpd.d directory and add to the content the line "ServerIdent Off" and the line "PassivePorts <start port range> <end port range>", with some custom port range).

Hope the above helps a bit.

If you have questions, just let me know.

Regards......
 
@Madness,

Just install the appropriate OpenSSL package manually, a nice procedure has been given in: https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678

After installing the OpenSSL 1.0.1s version, you should still run the command: plesk sbin pci_compliance_resolver --enable <service>

This command will not only allow TLS 1.2, but also disallow all vulnerable SSL connections (read: securing your server according to PCI compliance settings).

Note that, if you decide to apply PCI compliant settings to all services, you can simple use the "--enable flag" alone (without a service name behind it), in which case ProFtpd will also be made PCI compliant, which on it´s turn requires that you enable passive ports (just add a file called custom.conf to /etc/proftpd.d directory and add to the content the line "ServerIdent Off" and the line "PassivePorts <start port range> <end port range>", with some custom port range).

Hope the above helps a bit.

If you have questions, just let me know.

Regards......
Ive updated manually from this tut https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678

Result:
openssl version
OpenSSL 1.0.1s 1 Mar 2016

but if i run this rpm -q openssl

I get openssl-1.0.1e-42.el6_7.4.x86_64

phpinfo.php also says

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
 
I could be wrong about this, but I think those detection systems are checking for your raw version of OpenSSL, assuming it won't work, and not actually confirming TLS1.2 connectivity. From what I've read, it's been baked into OpenSSL versions in Redhat/CentOS systems for at least a year now. The only reason it wouldn't be obvious is because Redhat/CentOS adds essential features and security fixes by backporting them into the original system installed version number, rather than installing the new version.
 
Back
Top