• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Totally remove SSLv3 from server

Pascal_Netenvie

Pascal_Netenvie

Regular Pleskian
Hi,
Despite i followed different KB that explain how to disable SSLv3 i still have a security breach for Poodle on my server.
According to Qualys SSL test the problem exist for handshake from IE6 / XP.
Apparently in this case Secure authentification fall back to SSLv3 ...
How can i solve that ?

Regards.

This server run on Plesk 12.0.18 and i already fixed these files :

Code: 
/etc/sw-cp-server/conf.d/plesk.conf
/etc/apache2/mods-enabled/ssl.conf
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
/etc/postfix/main.cf
/etc/sw-cp-server/config
/usr/local/psa/admin/conf/ssl-conf.sh

And executed this :
Code: 
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/server/nginxVhosts.php
 
If i look into /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php and other nginx config files, i see that :
PHP: 
<?php if (get_param('disablesslv3')): ?>
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
    ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>

Can it come from that ?
 
Yes it was that.
Replaced
Code: 
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
by
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

and now it is ok.
 
@Pascal_Netenvie

Your answer solves the issue partially.

In essence, securing against Poodle is a combination of disabling SSLv3 (and preferably all SSL versions) and applying the proper cipher suites.

After all, some clients can still switch to SSL and if a specific application on Plesk (being a Plesk componet/package or even an application installed by a customer) supports SSLv3 (there are a lot of config files to be checked for SSLv3 enablement), you are still vulnerable.

In short, there is no easy solution, but the best approach is to run the command (from SSH): pci_compliance_resolver --enable

Note that this is the "best approach", not the "best solution", even with before mentioned command line tool there are some cipher suite related issues (that are minor, by the way).

Hope the above helps a bit

Regards....
 
You must log in or register to reply here.

Similar threads

B
Resolved How do I enable FTPS?
Replies
10
Views
996
Kaspar
K
A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
590
Alban Staehli
A
J
Issue Error: configuration files for the Apache web server were not created
Replies
1
Views
472
Raul A.
R
R
Issue Error: New configuration files for the Apache web server were not created due to the errors in configuration templates:
Replies
0
Views
799
reirod
R
R
Issue Cannot restart NGINX
Replies
1
Views
435
Raul A.
R
Back
Top