Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to fix CVE-2015-4000 LOGJAM TLS DH vulnerability on Plesk server?
Answer
Click on a section to expand
Since Plesk 12.5 there is a utility plesk sbin sslmng that allows disabling TLS compression and sets the DH parameter's size to 2048.
To do it for all services, do following:
- Connect to server over SSH.
-
Run the following command:
# plesk sbin sslmng -vvv --strong-dh --dhparams-size=2048
Note: To change the setting for a particular service, option --services=service_name should be used.
Warning: Execution of the script below on the Plesk 12.5 and above can make Plesk inoperable due to duplicate ssl_ directives.
Warning: Apply the script on a test environment first. Contact Plesk Technical Support in case of any issues.
The script will patch properly if you have OpenSSL version 1.0.1 and higher, because earlier versions do not have TLS v1.1 and TLS v1.2 support.
Steps of the solution:
- Connect to the server via SSH.
- Download the script, unzip and run it:
# wget https://support.plesk.com/hc/article_attachments/115004355285/SSLfix.zip
# unzip SSLfix.zip
# chmod +x SSLfix.sh
# ./SSLfix.sh [v3|dh] [service name like apache, nginWithout arguments, it will patch all services' configuration for SSLv3 (Poodle) and weak DH (Logjam).
Additional information
Operating system (OS) vendors released the following security advisories to address this vulnerability:
- Connect to server over RDP.
- Open the Group Policy Object Editor: type
gpedit.msc
in the Start > Run dialogue window. - Expand Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
- Under SSL Configuration Settings , open the SSL Cipher Suite Order setting.
- Set up a strong cipher suite order. See this list of Microsoft's supported ciphers and Mozilla's TLS configuration instructions.
Comments
1 comment
Hi,
very interesting, thanx, but for Aix Server have you some info or details in more ? maybe could i try with the script you have prepared ? i have downloaded and i know will check, thnx bye
Please sign in to leave a comment.