• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue TLS1.2 Weak Cipher Suites SSL Labs

S

sall10

Basic Pleskian
Hello,

I have activated TLSv1.2 and TLSv1.3 on my Server. I use apache and nginx reverse proxy. I have followed this article to meet pci-dss compliance with Plesk Obisidian Version 18.0.27 on CentOS Linux 7.8.2003 (Core) Tune Plesk to Meet PCI DSS on Linux

Disabling weak SSL/TLS ciphers and protocols for the following Services:

plesk sbin pci_compliance_resolver --enable

- panel
- apache
- dovecot
- postfix
- proftpd

When I now check with SSL Labs, the Ciphers for TLSv1.3 are ok, but for TLSv1.2 are weak, please see screenshots.

I was asuming if running the pci_compliance_resolver for the services , that the Ciphers would be updated from weak to a secure level? Why Weak Ciphers for TLSv1.2 are still present on the server, how can I change this now, for all services ?

As I also use Nginx as Reverse Proxy, do I have to change there also something?

Thx
 

Attachments

  • 1.png
    1.png
    396.7 KB · Views: 32
  • 2.png
    2.png
    110.8 KB · Views: 27
Put the following in your NGINX section and you'll fix your PCI compliance issue and score an A+ on ssllabs:

Code: 
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384';

Then add:
Code: 
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

You can also pull additional data from Security/Server Side TLS - MozillaWiki and this Mozilla SSL Configuration Generator which generates ciphers based on your server config. However, the above works -- we use it :)
 
@Arashi

I tried yet with the SSLIT Extension to set Modern Cipher Suite, but found the following issues:

To be sure that just TLS1.2 and TLS1.3 Protocol i have done this: /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.3"

Then I measured again with the Mozilla SSLIT Extension on SSLIT disabled!

1Protocols.JPG
2Cipher_Suites.JPG


Then i activated in SSLIT Modern and Enabled & Sync and activated.


3SSL_IT_Modern.JPG


After i measured again with SSLLabs and checked Clear Cache Option there:

Results where as you can see in the screenshot, Protocol TLSv1.3 is disabled, why is this?

Second for Protocol TLSv1.2 are still 2 weak Cipher Suites shown?


4After_Testing_Again_with_SSLLABS.JPG

Thx


Update: Turning off again the Function in SSLIT and recheck, still show, that TLSv1.3 is disabled.! I have to reissue again /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.3" to have both Protocols are enabled !
 
Last edited:
themew said:
Put the following in your NGINX section and you'll fix your PCI compliance issue and score an A+ on ssllabs:

Code: 
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384';

Then add:
Code: 
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

You can also pull additional data from Security/Server Side TLS - MozillaWiki and this Mozilla SSL Configuration Generator which generates ciphers based on your server config. However, the above works -- we use it :)
Click to expand...


Hello Themew,

thanks for the Code, will try this, as i use Apache and Nginx Reverse Proxy, do i have to add your code just to additional Nginx directives ? :) Thx
 
sall10 said:
Hello Themew,

thanks for the Code, will try this, as i use Apache and Nginx Reverse Proxy, do i have to add your code just to additional Nginx directives ? :) Thx
Click to expand...

Yes. Add the code to the additional Nginx directives and you should be set. I don't use the SSLit extension so you may want to turn it off to avoid conflict. Our server is also set to use Nginx reverse proxy with Apache.
 
themew said:
Yes. Add the code to the additional Nginx directives and you should be set. I don't use the SSLit extension so you may want to turn it off to avoid conflict. Our server is also set to use Nginx reverse proxy with Apache.
Click to expand...


Thx, if SSLIT is deactivated, what is with the LetsEncrypt Certificates :)?
 
We don't use SSLit. Simply go to the domain you're working on, choose the SSL encryption icon and you can install and activate Lets Encrypt certs from there. You can also go under 'Server Settings' in the admin section and activate/choose to use those certs with the panel, email etc.
 
I have noticed that the default installation of Plesk came with tls v1 and tls v1.1 activated by default. In /etc/nginx/conf.d/ssl.conf, I deleted the text related to those TLS
so, now i have:
ssl_protocols TLSv1.2 TLSv1.3;

I guess that if we turn off ssl_prefer_server_ciphers, it should theoritically speed up the SSL handshake since the SSL cipher choice is performed by the client and not by the web server. So, we should save one round.

ssl_prefer_server_ciphers off;
 
You must log in or register to reply here.

Similar threads

D
Issue Can't enable TLSv1 and TLSv1.1 on Ubuntu 22.04
Replies
4
Views
7K
omniscient
O
M
Issue TLS/SSL configuration - DHE ciphers not working
Replies
5
Views
3K
learning_curve
learning_curve
L
Question TLS 1.3 on Litespeed webservers / Obsidian
Replies
0
Views
1K
lenala
L
X
Issue Disable pci-dss results in unhardened webserver
Replies
1
Views
1K
Solomaliar
Solomaliar
V
Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?
Replies
2
Views
2K
IgorG
IgorG
Back
Top