Applicable to:
- Plesk Onyx for Linux
Symptoms
Warning: The article is applicable only to Plesk servers with operating systems: CentOS 6, Red Hat Enterprise Linux 6, CloudLinux 6.
-
The utility
pci_compliance_resolver
was used:# plesk sbin pci_compliance_resolver --enable <service>
-
After that, weak 3DES ciphers are still used, for example:
# nmap -sV --script ssl-enum-ciphers -p 993 plesk.example.com
PORT STATE SERVICE VERSION
993/tcp open ssl/imap Courier Imapd (released 2017)
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
..........
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
..........
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
..........
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
..........
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
..........
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
Cause
The official fix from OpenSSL was differently ported by Red Hat to RHEL 6 (and thus, to CentOS 6 and other operating systems based on RHEL 6).
Because of that, 3DES ciphers are still used when the keyword HIGH
is specified in the cipher list.
Plesk bug PPPM-10040 was created to remove the weak ciphers from the list set by pci_compliance_resolver
. It is planned to be fixed in one of the future Plesk updates.
Resolution
Until the bug is fixed, use the following workaround:
Note: The workaround can be used only by server administrator. In case there is no administrative SSH or RDP access to the server, contact the server administrator or server provider.
-
Connect to the server using SSH.
-
Delete the ciphers
EECDH+HIGH
andHIGH
from the cipher list of the corresponding service:sw-cp-server (special nginx for Plesk)# sed -i s/:HIGH:/:/ /etc/sw-cp-server/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/sw-cp-server/conf.d/ssl.conf
# service sw-cp-server reloadnginx# sed -i s/:HIGH:/:/ /etc/nginx/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/nginx/conf.d/ssl.conf
# service nginx reloadApache# sed -i s/:HIGH:/:/ /etc/httpd/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/httpd/conf.d/ssl.conf
# service httpd reloadCourier-IMAP# sed -i s/:HIGH:/:/ /etc/courier-imap/imapd-ssl && sed -i s/:EECDH+HIGH:/:/ /etc/courier-imap/imapd-ssl
# service courier-imaps reload# sed -i s/:HIGH:/:/ /etc/courier-imap/pop3d-ssl && sed -i s/:EECDH+HIGH:/:/ /etc/courier-imap/pop3d-ssl
# service courier-pop3s reloadDovecot# sed -i s/:HIGH:/:/ /etc/dovecot/conf.d/11-plesk-security-ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/dovecot/conf.d/11-plesk-security-ssl.conf
# service dovecot reloadPostfix# sed -i s/:HIGH:/:/ /etc/postfix/main.cf && sed -i s/:EECDH+HIGH:/:/ /etc/postfix/main.cf
# service postfix reloadProFTPd# sed -i s/:HIGH:/:/ /etc/proftpd.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/proftpd.d/ssl.conf
Comments
0 comments
Please sign in to leave a comment.