Articles in this section

See more

Weak 3DES ciphers are still used after using pci_compliance_resolver on Plesk server with CentOS 6

Avatar
Taras Ermoshin
Updated
Follow

Applicable to:

  • Plesk Onyx for Linux

Symptoms

Warning: The article is applicable only to Plesk servers with operating systems: CentOS 6, Red Hat Enterprise Linux 6, CloudLinux 6.

  • The utility pci_compliance_resolver was used:

    # plesk sbin pci_compliance_resolver --enable <service>

  • After that, weak 3DES ciphers are still used, for example:

    # nmap -sV --script ssl-enum-ciphers -p 993 plesk.example.com
    PORT STATE SERVICE VERSION
    993/tcp open ssl/imap Courier Imapd (released 2017)
    | ssl-enum-ciphers:
    | TLSv1.1:
    | ciphers:
    ..........
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    ..........
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    ..........
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack

    | TLSv1.2:
    | ciphers:
    ..........
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    ..........
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack
    |_ least strength: C

Cause

The official fix from OpenSSL was differently ported by Red Hat to RHEL 6 (and thus, to CentOS 6 and other operating systems based on RHEL 6).

Because of that, 3DES ciphers are still used when the keyword HIGH is specified in the cipher list.

Plesk bug PPPM-10040 was created to remove the weak ciphers from the list set by pci_compliance_resolver. It is planned to be fixed in one of the future Plesk updates.

Resolution

Until the bug is fixed, use the following workaround:

  1. Connect to the server using SSH.

  2. Delete the ciphers EECDH+HIGH and HIGH from the cipher list of the corresponding service:

    sw-cp-server (special nginx for Plesk)

    # sed -i s/:HIGH:/:/ /etc/sw-cp-server/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/sw-cp-server/conf.d/ssl.conf
    # service sw-cp-server reload

    nginx

    # sed -i s/:HIGH:/:/ /etc/nginx/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/nginx/conf.d/ssl.conf
    # service nginx reload

    Apache

    # sed -i s/:HIGH:/:/ /etc/httpd/conf.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/httpd/conf.d/ssl.conf
    # service httpd reload

    Courier-IMAP

    # sed -i s/:HIGH:/:/ /etc/courier-imap/imapd-ssl && sed -i s/:EECDH+HIGH:/:/ /etc/courier-imap/imapd-ssl
    # service courier-imaps reload

    # sed -i s/:HIGH:/:/ /etc/courier-imap/pop3d-ssl && sed -i s/:EECDH+HIGH:/:/ /etc/courier-imap/pop3d-ssl
    # service courier-pop3s reload

    Dovecot

    # sed -i s/:HIGH:/:/ /etc/dovecot/conf.d/11-plesk-security-ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/dovecot/conf.d/11-plesk-security-ssl.conf
    # service dovecot reload

    Postfix

    # sed -i s/:HIGH:/:/ /etc/postfix/main.cf && sed -i s/:EECDH+HIGH:/:/ /etc/postfix/main.cf
    # service postfix reload

    ProFTPd

    # sed -i s/:HIGH:/:/ /etc/proftpd.d/ssl.conf && sed -i s/:EECDH+HIGH:/:/ /etc/proftpd.d/ssl.conf

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles