Resolved Why SSLv2 and SSLv3?

[Azurel]

In nginx /etc/nginx/plesk.conf.d/server.conf I found

ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Why? See here: http://disablessl3.com/ or here https://blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack


Maybe that helps here too:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

SSLLabs give you Grade C for using SSLv3

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

From Apache Config:

Default: SSLProtocol all -SSLv3 (up to 2.4.16: all)

From nginx Config:

Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

SOLUTION:

http://kb.odin.com/en/123160

for Plesk 12.5

For all sites in Plesk 12.0 for Linux:

# mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` psa > psa_backup.sql
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> insert into misc values('disablesslv3', 'true');

Then, reconfigure Apache and Nginx:

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

 

[UFHH01]

Hi Azurel,

not all SSLv2/SSLv3 - protocols have a protocol weaknesses, that's why it is very much recommended and wise, to define your ciphers lists carefully!
If you intend to remove all SSLv3 ciphers, you remove as well some TLSv1 ciphers and if you remove all SSLv2 ciphers as well, you will now only support TLSv1.2 - which is a bad idea, because you will experience quite a lot of issues now.

Pls. read more about ciphers and it's usage, as for example at: => https://www.openssl.org/docs/manmaster/apps/ciphers.html