[HUB] SSL security vulnerabilities

Created:

2016-11-16 13:17:14 UTC

Modified:

2017-04-24 11:15:05 UTC

0

Was this article helpful?


Have more questions?

Submit a request

[HUB] SSL security vulnerabilities

Applicable to:

  • Plesk

Introduction

It is necessary to keep security of HTTPS servers adequate to modern threats. Because new breaches and weaknesses in cryptographic algorithms and protocols are constantly discovered. Moreover, default settings of web servers and operating systems not always provide acceptable level of SSL/TLS security.

Most critical vulnerabilities are fixed in Plesk microupdates. Make sure that you have latest Plesk microupdates installed.
Please refer KB article #213943585 for more information about using microupdates in Plesk.

Testing SSL/TLS Security

The best and preferred way to assess security of SSL configuration of the web server is to use Qualys SSL Labs' test: https://www.ssllabs.com/ssltest . The mark A denote reasonably good security level. Scores lower than B require appropriate mitigation steps.

Known vulnerabilities

The table below lists known vulnerabilities and KB articles with their explanations and fixes.

Vulnerability KB article with fix
CVE-2014-0224 : Security vulnerability in OpenSSL #213366429
CVE-2014-3566 : POODLE attack exploiting SSL 3.0 fallback #213410909
CVE-2015-4000 : LOGJAM TLS DH vulnerability #213933745


For Linux-based systems we have prepared a script in accordance with recommendations from Guide to Deploying Diffie-Hellman for TLS .

Apply the script on test environment first. Contact Odin Technical Support in case of any arising issues.

The script fixes CVE-2014-3566 and CVE-2015-4000 vulnerabilities, but it requires an OpenSSL version 1.0.1 and higher, because earlier versions do not have TLS v1.1 and TLS v1.2 support.

Usage:

# wget http://kb.plesk.com/Attachments/kcs-51784/SSLfix.zip
# unzip SSLfix.zip
# chmod +x SSLfix.sh
# ./SSLfix.sh [v3|dh] [service name like apache, nginx]

Without arguments it will patch all services configuration for SSLv3 (Poodle) and weak DH (Logjam):

SERVICES:
apache
nginx
postfix
courier
dovecot
proftpd
cp_server
qmail
Have more questions? Submit a request
Please sign in to leave a comment.