It is necessary to keep security of HTTPS servers adequate to modern threats. Because new breaches and weaknesses in cryptographic algorithms and protocols are constantly discovered. Moreover, default settings of web servers and operating systems not always provide acceptable level of SSL/TLS security.
Most critical vulnerabilities are fixed in Plesk microupdates. Make sure that you have latest Plesk microupdates installed.
Please refer KB article #9294 for more information about using microupdates in Plesk.
Testing SSL/TLS Security
The best and preferred way to assess security of SSL configuration of the web server is to use Qualys SSL Labs' test: https://www.ssllabs.com/ssltest. The mark A denote reasonably good security level. Scores lower than B require appropriate mitigation steps.
The table below lists known vulnerabilities and KB articles with their explanations and fixes.
|Vulnerability||KB article with fix|
|CVE-2014-0224: Security vulnerability in OpenSSL||#121916|
|CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback||#123160|
|CVE-2015-4000: LOGJAM TLS DH vulnerability||#125741|
Apply the script on test environment first. Contact Odin Technical Support in case of any arising issues.
The script fixes CVE-2014-3566 and CVE-2015-4000 vulnerabilities, but it requires an OpenSSL version 1.0.1 and higher, because earlier versions do not have TLS v1.1 and TLS v1.2 support.
# wget http://kb.plesk.com/Attachments/kcs-51784/SSLfix.zip # unzip SSLfix.zip # chmod +x SSLfix.sh # ./SSLfix.sh [v3|dh] [service name like apache, nginx]
Without arguments it will patch all services configuration for SSLv3 (Poodle) and weak DH (Logjam):
SERVICES: apache nginx postfix courier dovecot proftpd cp_server qmail