turn off SSLv2 and SSLv3 protocols on all domains on a server

[IATechsupport]

Can anyone help with turning off SSLv2 and SSLv3 protocols on all domains on a Plesk 12 CentOS 6 virtual server.

 

[Sergey L]

What kind of help are you looking for?
http://kb.odin.com/en/123160 - did you see steps suggested in this article?

 

[IATechsupport]

Thats a big help thanks, only thing is it doesn't tell us where the default ngix config file is to edit it. One I found says don't edit this file its generated automatically, any idea where its located ?

 

[IgorG]

Thats a big help thanks, only thing is it doesn't tell us where the default ngix config file is to edit it. One I found says don't edit this file its generated automatically, any idea where its located ?

There is section in KB article - Nginx server. Why it is not enough?

 

[UFHH01]

@IATechsupport : If you edit the ( automatic generated ) config - files itself, instead of using the work-around over the templates, as mentioned in the KB - article 123160, you will have to edit the config - files each and every time, when these config - files will be auto-generated by Plesk.... mostly after updates/upgrades/patches... after you changed webserver - settings for a domain... sometimes after additional software in- or deinstallations... and much more .... could be a half-time job, when you have lots of domains, so if you insist on the manual nginx - config - edits for each domain, you should cancel the fitness-club-membership now.

 

[Linulex]

What kind of help are you looking for?
http://kb.odin.com/en/123160 - did you see steps suggested in this article?

This article is not correct for the default pages on apache server for plesk 11.5 servers. It is correct for plesk 12 servers.

On plesk 11.5 the file /etc/httpd/conf/plesk.conf.d/server.conf has the lines

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

in it.

so placing the correct lines in /etc/httpd/conf/httpd.conf wil not work. They will be overruled by the plesk generated rules in de default file.

Fixing this is simple: apache takes the last rules it gets. the solution on plesk 11.5 is:

create a file

/etc/httpd/conf.d/zzzzzzzz.conf

give it enough z's to be sure it will be seen last by apache.
enter in this files:

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLInsecureRenegotiation off

These rules now will overwrite the server.conf rules, as they overwritten the httpd.conf rules

To be absolutly safe you can also enter these directives to /etc/httpd/conf.d/ssl.conf

as always: restart apache
and test at https://www.ssllabs.com/ssltest/index.html

disclaimer: ONLY TESTED ON PLESK 11.5, not on any other versions and these rules are not in the plesk 12 default file.

regards
Jan

 

[Tsi-Shawn]

This was solved in an earlier thread by myself and others. Working fine on all domains. http://talk.plesk.com/threads/ssl-poodle-sslv3-bug.323338/page-2#post-761197

tech01 summed it all up nicely right around the middle of the first page.

 

[IATechsupport]

Having read the http://kb.odin.com/en/123160 properly we worked out from that what we needed to do, and it worked ok.
Thanks to everyone who commented.

 

[Bonsai78]

As the above is outdated (I got F with it)


create a file

/etc/httpd/conf.d/zzzzzzzz.conf

give it enough z's to be sure it will be seen last by apache.
enter in this files:

SSLProtocol All -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES:RSA+3DES:RC4+SHA!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!ADH:!AECDH:!MD5:!DSS:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Then relaod apache config:

service httpd reload

Also have a look at the DNS server and add CAA entries!

Now I got A on www.ssllabs.com