Solved

Generate CSR on Plesk9.5.3 CentOS server

Posted on 2014-01-27
6
925 Views
Last Modified: 2014-01-28
Hi, I run a small website on an old plesk 9.5 server (CentOS)

When I request the CSR through Plesk, the resulting cert seems to be configured in such a way that most SSL tests find it unacceptable.

Is there a way to bypass Plesk and create my CSR with the proper settings from CentOS shell for my domain name? My CentOS version is the below

LSB Version:      :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:      CentOS
Description:      CentOS release 5.5 (Final)
Release:      5.5
Codename:      Final

Apache/2.2.3 (CentOS) (Aug 30 2010 12:32:08)

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Dec 15 10:27:47 EST 2010
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  padlock dynamic

This server has several other virtual hosts hosted in it, but multiple IP addresses

Here is the result from Qualsys SSL test:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

Configuration

Protocols
TLS 1.2	No
TLS 1.1	 No
TLS 1.0	 Yes
SSL 3	Yes
SSL 2   INSECURE	Yes


Cipher Suites (sorted by strength; the server has no preference)
SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE	40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE	40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK	40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK	40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK	40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK	40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE	56
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK	56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	56
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE	128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE	112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	256

Open in new window

0
Comment
Question by:sk391
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Milind Koyande
ID: 39811331
Can you please write down the steps you follow to generate CSR for the domain?
0
 
LVL 1

Author Comment

by:sk391
ID: 39811343
Yes sure, I just go into my plesk gui, and I choose "Generate CSR", and enter the certificate information.

I am wondering if it's a problem with Plesk being too old, or just that it's better to request the certificate thorough the openssl commandline?

Thank you
0
 
LVL 7

Accepted Solution

by:
Milind Koyande earned 250 total points
ID: 39811349
Can you please follow the steps given at http://www.alphassl.com/support/create-csr/plesk.html ?
0
The Orion Papers

Are you interested in becoming an AWS Certified Solutions Architect?

Discover a new interactive way of training for the exam.

 
LVL 1

Author Comment

by:sk391
ID: 39811358
thank you, this is what i have done, and i am getting the above results from the ssl test.

it has been installed successfully but the cipher suites supported and the configuration is insecure.

I guess plesk in the background utilizes openssl to generate the cert, so it might just be a problem of my old version?
0
 
LVL 13

Assisted Solution

by:LinuxGuru
LinuxGuru earned 250 total points
ID: 39814218
Greetings,

There is no such known problem when CSR is generated from Plesk. Could you please test the SSL at the following url and provide the results?

http://www.digicert.com/help/

OR

http://www.sslshopper.com/ssl-checker.html

Thank you!
0
 
LVL 1

Author Comment

by:sk391
ID: 39815699
Thank you it seems OK, even though Qualsys SSL test shows some vulnerabilities because of supported cipher suites.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question