Articles in this section

See more

Weak 3DES ciphers are still used after using pci_compliance_resolver on Plesk server with CentOS 6

Avatar
Taras Ermoshin
Updated
Follow

Applicable to:

  • Plesk Onyx for Linux

Symptoms

Warning: The article is applicable only to Plesk servers with operating systems: CentOS 6, Red Hat Enterprise Linux 6, CloudLinux 6.

  • The utility pci_compliance_resolver was used:

    # plesk sbin pci_compliance_resolver --enable <service>

  • After that, weak 3DES ciphers are still used, for example:

    # nmap -sV --script ssl-enum-ciphers -p 993 plesk.example.com
    PORT STATE SERVICE VERSION
    993/tcp open ssl/imap Courier Imapd (released 2017)
    | ssl-enum-ciphers:
    | TLSv1.1:
    | ciphers:
    ..........
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    ..........
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    ..........
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack

    | TLSv1.2:
    | ciphers:
    ..........
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    ..........
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack
    |_ least strength: C

Cause

The official fix from OpenSSL was differently ported by Red Hat to RHEL 6 (and thus, to CentOS 6 and other operating systems based on RHEL 6).

Because of that, 3DES ciphers are still used when the keyword HIGH is specified in the cipher list.

Plesk bug PPPM-10040 was created to remove the weak ciphers from the list set by pci_compliance_resolver. It is planned to be fixed in one of the future Plesk updates.

Resolution

Until the bug is fixed, use the following workaround:

Note: The workaround can be used only by server administrator. In case there is no administrative SSH or RDP access to the server, contact the server administrator or server provider.

  1. Connect to the server using SSH.

  2. Delete the ciphers EECDH+HIGH and HIGH from the cipher list of the corresponding service:

    sw-cp-server (special nginx for Plesk)

    # sed -i s/:HIGH:/:/ /etc/sw-cp-server/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/sw-cp-server/conf.d/ssl.conf
    # service sw-cp-server reload

    nginx

    # sed -i s/:HIGH:/:/ /etc/nginx/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/nginx/conf.d/ssl.conf
    # service nginx reload

    Apache

    # sed -i s/:HIGH:/:/ /etc/httpd/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/httpd/conf.d/ssl.conf
    # service httpd reload

    Courier-IMAP

    # sed -i s/:HIGH:/:/ /etc/courier-imap/imapd-ssl && sed -i s/:EECDH+HIGH:/:/ /etc/courier-imap/imapd-ssl
    # service courier-imaps reload

    # sed -i s/:HIGH:/:/ /etc/courier-imap/pop3d-ssl && sed -i s/:EECDH+HIGH:/:/ /etc/courier-imap/pop3d-ssl
    # service courier-pop3s reload

    Dovecot

    # sed -i s/:HIGH:/:/ /etc/dovecot/conf.d/11-plesk-security-ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/dovecot/conf.d/11-plesk-security-ssl.conf
    # service dovecot reload

    Postfix

    # sed -i s/:HIGH:/:/ /etc/postfix/main.cf && sed -i s/:EECDH+HIGH:/:/ /etc/postfix/main.cf
    # service postfix reload

    ProFTPd

    # sed -i s/:HIGH:/:/ /etc/proftpd.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/proftpd.d/ssl.conf

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles