• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question TLS 1.3 on Litespeed webservers / Obsidian

L

lenala

New Pleskian
Hi,

I found taht Plesk Obsidian was not meeting PCI DSS compliance.
Looking at /etc/httpd/conf.d/ssl.conf I found poor parameters which lead to poor SSL rating (B) :

<IfModule mod_ssl.c>
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
</IfModule>​

I searched the documentation, and only things I found is related to Apache . Since we run LiteSpeed web servers (yes I know LS is not officially supported), looks like I can't use plesk sbin pci_compliance_resolver {--enable|--disable} [<service>] command. So I replaced manually above code with following :

<IfModule LiteSpeed>
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
</IfModule>​

Thing is, running the utility also does some more things (Sets the following list of ciphers, Sets the DH parameter’s size to 2048, etc.)

Question, what else shall I do manually to get our servers meet PCI DSS (equivalent to --enable utility cmd) ?
I'm not sure I can use plesk sbin sslmng either, since it would look for <IfModule mod_ssl.c>.

Thanks in advance for help / advise.
 
You must log in or register to reply here.

Similar threads

Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
Dukemaster
Question TLS 1.3 after Obsidian Upgrade
Replies
7
Views
3K
thinkingcap
thinkingcap
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
4K
Mark12345
Mark12345
Dukemaster
Question Nginx (TLS 1.3 + Pagespeed) - Updating cipher list
Replies
10
Views
4K
Dukemaster
Dukemaster
Back
Top