• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

turn off SSLv2 and SSLv3 protocols on all domains on a server

Thats a big help thanks, only thing is it doesn't tell us where the default ngix config file is to edit it. One I found says don't edit this file its generated automatically, any idea where its located ?
 
Thats a big help thanks, only thing is it doesn't tell us where the default ngix config file is to edit it. One I found says don't edit this file its generated automatically, any idea where its located ?
There is section in KB article - Nginx server. Why it is not enough?
 
@IATechsupport : If you edit the ( automatic generated ) config - files itself, instead of using the work-around over the templates, as mentioned in the KB - article 123160, you will have to edit the config - files each and every time, when these config - files will be auto-generated by Plesk.... mostly after updates/upgrades/patches... after you changed webserver - settings for a domain... sometimes after additional software in- or deinstallations... and much more .... could be a half-time job, when you have lots of domains, so if you insist on the manual nginx - config - edits for each domain, you should cancel the fitness-club-membership now. :p
 
What kind of help are you looking for?
http://kb.odin.com/en/123160 - did you see steps suggested in this article?

This article is not correct for the default pages on apache server for plesk 11.5 servers. It is correct for plesk 12 servers.

On plesk 11.5 the file /etc/httpd/conf/plesk.conf.d/server.conf has the lines

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

in it.

so placing the correct lines in /etc/httpd/conf/httpd.conf wil not work. They will be overruled by the plesk generated rules in de default file.

Fixing this is simple: apache takes the last rules it gets. the solution on plesk 11.5 is:

create a file

/etc/httpd/conf.d/zzzzzzzz.conf

give it enough z's to be sure it will be seen last by apache.
enter in this files:

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLInsecureRenegotiation off

These rules now will overwrite the server.conf rules, as they overwritten the httpd.conf rules

To be absolutly safe you can also enter these directives to /etc/httpd/conf.d/ssl.conf

as always: restart apache
and test at https://www.ssllabs.com/ssltest/index.html

disclaimer: ONLY TESTED ON PLESK 11.5, not on any other versions and these rules are not in the plesk 12 default file.

regards
Jan
 
As the above is outdated (I got F with it)


create a file

/etc/httpd/conf.d/zzzzzzzz.conf

give it enough z's to be sure it will be seen last by apache.
enter in this files:
Code:
SSLProtocol All -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES:RSA+3DES:RC4+SHA!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!ADH:!AECDH:!MD5:!DSS:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Then relaod apache config:
Code:
service httpd reload

Also have a look at the DNS server and add CAA entries!

Now I got A on www.ssllabs.com
 
Back
Top