Facebook
TwitterHi,
I found taht Plesk Obsidian was not meeting PCI DSS compliance.
Looking at /etc/httpd/conf.d/ssl.conf I found poor parameters which lead to poor SSL rating (B) :
I searched the documentation, and only things I found is related to Apache . Since we run LiteSpeed web servers (yes I know LS is not officially supported), looks like I can't use plesk sbin pci_compliance_resolver {--enable|--disable} [<service>] command. So I replaced manually above code with following :
Thing is, running the utility also does some more things (Sets the following list of ciphers, Sets the DH parameter’s size to 2048, etc.)
Question, what else shall I do manually to get our servers meet PCI DSS (equivalent to --enable utility cmd) ?
I'm not sure I can use plesk sbin sslmng either, since it would look for <IfModule mod_ssl.c>.
Thanks in advance for help / advise.
I found taht Plesk Obsidian was not meeting PCI DSS compliance.
Looking at /etc/httpd/conf.d/ssl.conf I found poor parameters which lead to poor SSL rating (B) :
<IfModule mod_ssl.c>
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
</IfModule>
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
</IfModule>
I searched the documentation, and only things I found is related to Apache . Since we run LiteSpeed web servers (yes I know LS is not officially supported), looks like I can't use plesk sbin pci_compliance_resolver {--enable|--disable} [<service>] command. So I replaced manually above code with following :
<IfModule LiteSpeed>
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
</IfModule>
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
</IfModule>
Thing is, running the utility also does some more things (Sets the following list of ciphers, Sets the DH parameter’s size to 2048, etc.)
Question, what else shall I do manually to get our servers meet PCI DSS (equivalent to --enable utility cmd) ?
I'm not sure I can use plesk sbin sslmng either, since it would look for <IfModule mod_ssl.c>.
Thanks in advance for help / advise.
