unable to disable SSLv2 for Plesk (port 8443)

[akiva]

I've added

SSLProtocol all -SSLv2

to

/usr/local/psa/admin/conf/httpsd.conf

and restarted plesk and apache countless times.

Also:

When I run
openssl s_client -host 64.150.166.180 -port 8443 -verify -debug -ssl2

on the machine (via a putty SSH conenction) I get:

[X@localhost conf]# openssl s_client -host 64.150.166.180 -port 8443 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
write:errno=104
[X@localhost conf]#

When the PCI testers run it they get:

:~$ openssl s_client -host 64.150.166.180 -port 8443 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=svz16.startlogic.com/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=svz16.startlogic.com/[email protected]
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=svz16.startlogic.com/[email protected]
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=svz16.startlogic.com/[email protected]
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1167 bytes and written 236 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: BEEDEC1EBA0FD61E2B2739D0F0F74841
Session-ID-ctx:
Master-Key: 3544615065FE2296EC7A7B80C909EFCBBC3530D315F3AC7B
Key-Arg : D979E278D0B2C59D
Start Time: 1199813184
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)


Any ideas HOW to turn off SSLv2? The change worked for the regular Apache on port 443...

Thanks

 

[Amin Taheri]

Also, you can go here
http://efodder.com/2008/01/15/how-to-disable-sslv2/

That will show you how to disable SSLv2 on https (443) as well as Plesk httpsd (8443) ports

 

[akiva]

Thanks for the link

I had made that change -- for some reason the PCI test suite returns a false positive

Since it's only plesk that uses that port they passed the test manually.

 

[Amin Taheri]

Please take notice that there is two files to edit, one for normal ssl and one for plesk ssl

 

[akiva]

I know -- I changed both of them.

 

[Amin Taheri]

Ok, just had to make sure - I was in the exact same boat you were and once I edited the second file plesk was sslv2 free.

Also just to make sure, you added both lines to both files and none of the files were /usr/local/psa/admin/conf/httpsd.conf and you restarted plesk service afterwards too right?

If you followed those instructions and its still not working you need to contact swsoft support becuase your install is probably broken, as practically any standard setup on a centos/rhel/fedora, etc is setup using those files and those instructions would work for those - it did for me on all three of those OS's (fc5, rhel4, centos4).

Good luck

 

[TheZag]

same problem on Plesk 8.3

Hello I have the same problem here.

I was looking for file httpsd.custom.include but I don't have it.
I have

httpsd.conf
httpsd.conf.def
httpsd.conf.saved_by_psa
httpsd.pem
httpsd.pem.sav

which are files to modify inside
/usr/loca/psa/admin/conf/... ?

Thanks a lot !!!

 

[TheZag]

Yuppy!
I disabled SSLv2 on port 8443
but noway on 443.

Any ideas ?

 

[rb06]

TheZag, to disable SSLv2 for the default web server (port 443) you need to edit the configuration in /etc/httpd/ (usually), not the one in /usr/local/psa/.

That said, I am still having difficulties disabling the SSLv2 and weak ciphers for Plesk 8.6.

I am familiar with and have made the changes related to Plesk from links like this:

http://www.linux-advocacy.org/web-servers/making-plesk-more-pci-compliant

Here's what I have done so far:

- Edited /usr/local/psa/admin/conf/httpsd.custom.include so that SSLv2 and the weak ciphers are disabled (using SSLProtocol and SSLCipherSuite). If I run

/usr/local/psa/admin/bin/httpsdctl configtest

I see that it is looking at both httpsd.custom.include and httpsd.conf.

- Restarted Plesk, ran the SSL tests, and nothing changed (the SSL test still fails).

- On a whim, I updated /usr/local/psa/admin/conf/httpsd.conf with the same configuration. Restarted plesk and nothing happened. I changed this back to the default configuration.

- Next I turned off both Apache servers (PSA and the regular web server) to find that there is another server still listening (somehow) on that port. Basically, after shutting these both off, if I went to https://cs4.pnmg.com:8443/ I still received a login screen for Plesk (despite `ps -ef | grep` http returning nothing).

Is /usr/local/psa/admin/conf/httpsd.custom.include the correct file to edit? Is there way to force plesk to reload this configuration?

Thanks!

 

[TheZag]

Hello rb6, thanks a lot for your reply !
Yesterday I was quite to going mad with all vary alerts from McAfee related to PCI compliance...
Well, I don't remember what exactly I did yesterday, again fighting with SSLv2 and CipherSuite, but this morning,
as a miracle... I received an email that finally I had passed all PCI tests...

Well, I don't know about Plesk 8.6, I still have - and I don't know why - the 8.3 (also, I'm not able to update it...)
but the idea that now I have in my mind is that if someone like me rented a virtual server just for himself to run exclusively an e-commerce website, well, probably, after loose not less than 4 months looking and searching on internet any good help to solve various issues, well probably the use of Plesk with Apache is just a big headache!

Yes, and mostly for a newby like me towards the world of Linux.

Before to work on a VPS, I just taken care of my websites -> html and ftp. Everything was and is easy.
When I decided to open an e-commerce website, just last year... Well, I didn't know to enter in a so dark tunnel.

Firstly I went to school to learn Linux. Then I began to buy books and books: about Linux, about Apache, about mySQL, about Servers... etc etc

In this way my adventures in Linux world started.

Well, thanks mostly to internet and forums like this, I was able to discovered - step by step - news and help to solve the many alerts I was receiving all days... quite 20 each day !
Then I began to put my hands on them... and one by one...

Ok, my VPS run Debian with CentOS and Plesk 8.3.
The really bad things I still don't understand are:

1) When I finished to learn quite all about Apache and most of all to use and write with the Shell... I discovered that Plesk change or use the most important things of the configuration, creating lot of headache! And not in just one file... So it's like a looking for a treasure inside the shell.

2) Relatively to Plesk Firewalls I don't undertsand why they consider only TCP and UDP protocols, while probably it should be important also to have the ICMP. But this you have to fix through iptables.
Well... So go to look for what are now iptables !

3) CentOS - note that now I have also a PC with CentOS, and I begin to use it more than my other PC with WIN XP - is absolutly incredible that doesn't update any version but just apply patches: yes, very good, this is a political point of view, but in a global world - why don't put together all basic powers, and mostly when different softwares are suggested to work together ?

Anyway... If you're a single and you don't have to sell any webspace to others, probably the best solution is a Linux/Apache server without anything else. Everything it can be configured via the shell and you can spend lot of hours to sleep or doing anything less, instead of becoming a sort of Indiana Jones !

Well... After this long letter, now I go to eat.
I'll be back later.
Thanks for all help I received !

 

[atomicturtle]

In reference to 1) Plesk doesn't touch the vendor shipped config files for apache, which are /etc/httpd/conf/httpd.conf and the files in /etc/httpd/conf.d, so you can modify any of those whenever you need to without plesk getting in the way. It does create its own file in /etc/httpd/conf.d/zz010_psa_httpd.conf which you cant edit, this file in turn references /var/www/vhosts/DOMAIN/conf/httpd.include, which you also don't edit. If you need to make changes you'd do that in /var/www/vhosts/DOMAIN/conf/vhost.conf

2) Because technically speaking, TCP and UDP are layer 4 and ICMP is layer 3-ish. What are you trying to do here? I actually wrote a book about this

3) Not sure what you're asking here

 

[TheZag]

Firstly, let me say that I don't know if probably something is difference between 8.3 and your 8.6

to disable SSLv2 on 443 and 4643 I edited the file at
/etc/httpd/conf.d/ssl.conf

adding at beginning of file right below

Listen 443
Listen 4643

SSLProtocol all -SSLv2
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Then ":wq"
Then "service httpd restart"

--------------------------------------------------

The same I did at
/usr/local/psa/admin/conf/httpsd.custom.include

I wrote both:

ServerTokens Prod
UserDir disabled
SSLProtocol all -SSLv2
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

<VirtualServer *:8443>
ServerName *:8443
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
</VirtualServer>

save and restart psa:
service psa restart
--------------------------------------------------------------

For the moment... everything looks okay.

 

[TheZag]

Hello Atomicturtle and thanks for your reply.

First of all I'm sorry that english is not my native language, so many "ideas" or "concepts" I try to express could be distorced.
I'm sorry that my replys come later after to be read for approval.
Anyway...

Those 3 points I wrote are just my "considerations" after 4/6 months or research to try to solve PCI compliance issues.
Nothing else. Just words from one that learned the minimum in less than 6 months. And I don't want to pass for one I'm not. This means I don't want to pass as an IT engineering: I'm not :-(
So many or all things I wrote are probably wrong, most of all I didn't want to hurt anybody ! ;-)

One thing: any changed I try to add at
vhost.conf and vhost_ssl_.conf
for httpd.include made errors (httpd doesn't restart).
"I think" is because httpd.include add automatically a link inside
a <VirtualHost *:*> ... </VirtualHost>.

 

[atomicturtle]

Sure no problem

In reference to the vhost.conf, its being called from inside a VirtualHost directive, like this:

<VirtualHost whatever.com>

Include vhost.conf

</VirtualHost>

So thats why you cant declare the virtualhost setting in it, the good news is that whatever you put in that file will override the other settings in the httpd.include. This is often used for things like manipulating the php_openbasedir path, mod_rewrite rules, Alias settings, etc.

 

[TheZag]

Ahah! I'm going really mad here...
Well, after all I did...
Now
service psa restart
after 6 ok
at the seven gives error
and doesn't restart !

...Oh my...

 

[TheZag]

Hello, please help.

Is it possible that I lost something called "drwebd" ???
What is it ?
I did /etc/init.d/drwebd restart
but I the answer is that it's not installed (?!?!)

Where can I find some info?

Thanks !

 

[rb06]

Hello,

Sorry to rehash this again, but I'm still stuck trying to get an issue fixed for a client. Basically, I have edited the PSA Apache configuration to disable SSLv2 and weak ciphers, but I am still getting both in my testing.

In /usr/local/psa/admin/conf/httpsd.custom.include:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULLSTRENGTH

Results of testing 8443:

Testing SSL2...
DES-CBC3-MD5 - 168 bits
RC2-CBC-MD5 - 128 bits
RC4-MD5 - 128 bits
DES-CBC-MD5 - 56 bits
EXP-RC2-CBC-MD5 - 40 bits
EXP-RC4-MD5 - 40 bits
Testing TLS1...
DHE-RSA-AES256-SHA - 256 bits
AES256-SHA - 256 bits
EDH-RSA-DES-CBC3-SHA - 168 bits
DES-CBC3-SHA - 168 bits
DHE-RSA-AES128-SHA - 128 bits
AES128-SHA - 128 bits
RC4-SHA - 128 bits
RC4-MD5 - 128 bits
EDH-RSA-DES-CBC-SHA - 56 bits
DES-CBC-SHA - 56 bits
EXP-EDH-RSA-DES-CBC-SHA - 40 bits
EXP-DES-CBC-SHA - 40 bits
EXP-RC2-CBC-MD5 - 40 bits
EXP-RC4-MD5 - 40 bits

I have pretty much the same configuration (and have tried the exact configuration) in the /etc/httpd/ config file and here are the testing results:

Testing SSL2...
Testing TLS1...
DHE-RSA-AES256-SHA - 256 bits
AES256-SHA - 256 bits
EDH-RSA-DES-CBC3-SHA - 168 bits
DES-CBC3-SHA - 168 bits
DHE-RSA-AES128-SHA - 128 bits
AES128-SHA - 128 bits
RC4-SHA - 128 bits
RC4-MD5 - 128 bits

One strange aspect of this issue is -- and I'm not sure if it is related issue -- is that after turning off PSA (/etc/init.d/psa stop) you can still access port 8443 and see a Plesk login form.

Thanks again!

 

[TheZag]

Wow... All people is busy on this forum...

Well, I discovered that I was wrong.
To take away SSLv2 from 8443 is enough to edit at
------------------------------------------------
/usr/local/psa/admin/conf/httpsd.custom.include
------------------------------------------------

UserDir disabled
SSLProtocol all -SSLv2
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

then
service psa stop
and
service psa start all
------------------------------------------------

psa now restart also if I don't have "drwebd" (that I didn't have, also - and why, I don't know).

Tomorrow I'll see if I lost the PCI...
Thanks to all !

 

[TheZag]

I found a very usefull "good" article.

Happy to share it:

http://www.linux-advocacy.org:80/web-servers/making-plesk-more-pci-compliant

Thanks to all the people that make internet the thing it should be!
Thanks all !