Why Plesk 12.5 supports weak Diffie-Hellman?

[Nosxxx]

Is there a reason why Plesk 12.5 hasn't patched Logjam? There are several sultions in the Forum, but why is there no "offical" (without editing files) Patch included in Plesk 12.5 ?

 

[Nosxxx]

I found an better solution as editing plesk template files.
If you add ssl_dhparam /etc/nginx/dhparam.pem; in ssl.conf it also works. Is this unsecure ?

 

[UFHH01]

Hi Nosxxx,

you might find it interesting to read: [IMPORTANT]: READ THIS FIRST TO FIND QUICK SOLUTION FOR THE EXISTING ISSUE/QUESTION

Based on this very first informations, links and basic commands, you could find it interesting as well, that Odin provides an enormous lot of KB - articles where you find solutions, suggestions and work - arounds.

As for example:

[Plesk] CVE-2015-4000 LOGJAM TLS DH vulnerability ( KB - article 125 741 )​

[Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback ( KB - article 123 160 )​

In some cases you might experience issues with incompatibilities for some browser and/or eMail - clients, after you followed the KB - article 123 160. It might help to read:

SSL POODLE / SSLv3 bug ( Odin / Parallels Forum - Link )​

... to solve such issues, because there are several additional solutions provided in this thread.​

Additional informations and suggestions could be found, using the forum SEARCH with one or more specific keywords ( in your case, maybe "logjam", or "dhparam" ?!? )


If you experience issues, while following suggestions, please try to add as much informations as possible, regarding your operating system ( please be aware, that Odin supports quite a few operating systems and not only yours, which we might not know, due to missing infomrations ), your current Plesk version ( incl. MU ), your webserver(s) in use ( apache and which version, please? / nginx and which version, please? ) or your used mail - server ( or other related informations for your service, where your issue/problem appears ) and try to provide informations, what you already did, to solve your issue/problem, so that possible answers don't suggest things, you already did to solve your issue/problem.
In most cases, it is very usefull to add error messages from the depending log - file of your issue/problem related service(s) - and maybe as well the corresponding configuration files - consider to read and bookmark "Odin / Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )".

 

[Nosxxx]

Thanks for your answer.
I'm using Plesk 12.5 and Debian8. Editing /etc/nginx/conf.d/ssl.conf works fine for me.
My "main" Question was why Plesk 12.5 has no "Patch" Out of the Box.

 

[MariusAZ]

I'm surprised there hasn't been an update to this post. It'd be nice if they updated the SSLfix.sh script to work with 12.5.30.

 

[MariusAZ]

Using this guide : http://download1.parallels.com/Ples...compliance-guide/index.htm?fileName=65871.htm

I was able to get A rating on SSL Test just by running the "/usr/local/psa/admin/bin/pci_compliance_resolver --enable all" command. "all" seems to be broke so just use "/usr/local/psa/admin/bin/pci_compliance_resolver --enable"

I rebooted afterwards but I don't know if this was necessary or not.