Protecting Plesk 12.5 from Logjam TLS Diffie-Hellman vulnerability

I have already covered securing Plesk against weak Diffie-Helman and the Logjam Attack in a previous post. So, when setting up a new server running Plesk where better to look than my own blog to remember how to do it?

I started following the instructions but quickly hit a snag when I started modifying the custom files I had set up. The files I had copied over to the custom folders looked quite different to the ones I had modified before.

It became obvious that Plesk 12.0 has a different Nginx configuration set up. After some searching on Google I came across this post from the vendors of Plesk which provided a patch and instructions on how to apply it. Given that Plesk 12.5 appears to be more secure with TLS 1.2 enabled by default I went along with the instructions.

All seemed to have gone well but according to Qualys SSL labs server test the server was still vulnerable to this attack.

After a bit of digging around I managed to locate the ssl.conf file which contained the SSL configuration for me to edit and so I tried applying my previous solution but in a different location and lo and behold, it worked! Now I've managed an A grade in security for the new server running Plesk 12.5.

Here are the steps I took. First of all I navigated to /etc/nginx/ and ran the following command:

# openssl dhparam -out dhparam.pem 4096

Then I navigated to /etc/nginx/conf.d where I found the file ssl.conf (if it isn't there just create it yourself as every .conf file in the conf.d folder is included in the Nginx configuration). I opened ssl.conf and found the following lines:

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

And replaced them with:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;

*** again, a note of caution on the ciphers used above: I have used the ciphers for intermediate compatibility as found on Mozilla's website. Your needs for compatibility may be different so choose the cipher appropriate to your needs. Also security requirements are constantly changing so you will need to review them periodically ***

Finally the following commands were run to reconfigure and reload nginx:

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all
# nginx -s reload

In the end it was quite straightforward and a bit quicker to implement than for the previous version of Plesk.

The above doesn't update the Plesk control panel ciphers, only on the virtual hosts. To do this I followed the instructions for meeting PCI DSS requirements using the ciphers above. The only snag I came across was that the file pci-compliance.conf didn't exist. Presumably things have changed in Plesk 12.5 because I found the ciphers in /etc/sw-cp-server/conf.d/ssl.conf. I changed them there and it worked, the Plesk panel no longer uses weak ciphers.


comments powered by Disqus