• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Totally remove SSLv3 from server

Pascal_Netenvie

Pascal_Netenvie

Regular Pleskian
Hi,
Despite i followed different KB that explain how to disable SSLv3 i still have a security breach for Poodle on my server.
According to Qualys SSL test the problem exist for handshake from IE6 / XP.
Apparently in this case Secure authentification fall back to SSLv3 ...
How can i solve that ?

Regards.

This server run on Plesk 12.0.18 and i already fixed these files :

Code: 
/etc/sw-cp-server/conf.d/plesk.conf
/etc/apache2/mods-enabled/ssl.conf
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
/etc/postfix/main.cf
/etc/sw-cp-server/config
/usr/local/psa/admin/conf/ssl-conf.sh

And executed this :
Code: 
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /opt/psa/admin/conf/templates/default/server/nginxVhosts.php
 
If i look into /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php and other nginx config files, i see that :
PHP: 
<?php if (get_param('disablesslv3')): ?>
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
    ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>

Can it come from that ?
 
Yes it was that.
Replaced
Code: 
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
by
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

and now it is ok.
 
@Pascal_Netenvie

Your answer solves the issue partially.

In essence, securing against Poodle is a combination of disabling SSLv3 (and preferably all SSL versions) and applying the proper cipher suites.

After all, some clients can still switch to SSL and if a specific application on Plesk (being a Plesk componet/package or even an application installed by a customer) supports SSLv3 (there are a lot of config files to be checked for SSLv3 enablement), you are still vulnerable.

In short, there is no easy solution, but the best approach is to run the command (from SSH): pci_compliance_resolver --enable

Note that this is the "best approach", not the "best solution", even with before mentioned command line tool there are some cipher suite related issues (that are minor, by the way).

Hope the above helps a bit

Regards....
 
You must log in or register to reply here.

Similar threads

D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
803
Nik G
N
C
Issue "New configuration files for the Apache web server were not created due to the errors in configuration templates"
Replies
4
Views
3K
The 8th
The 8th
T
Issue increase max file size upload on plesk server
Replies
8
Views
3K
tn7000
T
DieterWerner
Resolved sw server and TLS
Replies
13
Views
1K
DieterWerner
DieterWerner
Lethalmiko
Question How can I permanently remove Nginx from Port 80?
Replies
1
Views
4K
Lethalmiko
Lethalmiko
Back
Top