• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Totally remove SSLv3 from server

Pascal_Netenvie

Pascal_Netenvie

Regular Pleskian
Hi,
Despite i followed different KB that explain how to disable SSLv3 i still have a security breach for Poodle on my server.
According to Qualys SSL test the problem exist for handshake from IE6 / XP.
Apparently in this case Secure authentification fall back to SSLv3 ...
How can i solve that ?

Regards.

This server run on Plesk 12.0.18 and i already fixed these files :

Code: 
/etc/sw-cp-server/conf.d/plesk.conf
/etc/apache2/mods-enabled/ssl.conf
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
/etc/postfix/main.cf
/etc/sw-cp-server/config
/usr/local/psa/admin/conf/ssl-conf.sh

And executed this :
Code: 
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/server/nginxVhosts.php
 
If i look into /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php and other nginx config files, i see that :
PHP: 
<?php if (get_param('disablesslv3')): ?>
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
    ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>

Can it come from that ?
 
Yes it was that.
Replaced
Code: 
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
by
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

and now it is ok.
 
@Pascal_Netenvie

Your answer solves the issue partially.

In essence, securing against Poodle is a combination of disabling SSLv3 (and preferably all SSL versions) and applying the proper cipher suites.

After all, some clients can still switch to SSL and if a specific application on Plesk (being a Plesk componet/package or even an application installed by a customer) supports SSLv3 (there are a lot of config files to be checked for SSLv3 enablement), you are still vulnerable.

In short, there is no easy solution, but the best approach is to run the command (from SSH): pci_compliance_resolver --enable

Note that this is the "best approach", not the "best solution", even with before mentioned command line tool there are some cipher suite related issues (that are minor, by the way).

Hope the above helps a bit

Regards....
 
You must log in or register to reply here.

Similar threads

D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
C
Issue "New configuration files for the Apache web server were not created due to the errors in configuration templates"
Replies
4
Views
5K
The 8th
The 8th
T
Issue increase max file size upload on plesk server
Replies
8
Views
3K
tn7000
T
DieterWerner
Resolved sw server and TLS
Replies
13
Views
2K
DieterWerner
DieterWerner
Back
Top