Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 940
  • Last Modified:

Generate CSR on Plesk9.5.3 CentOS server

Hi, I run a small website on an old plesk 9.5 server (CentOS)

When I request the CSR through Plesk, the resulting cert seems to be configured in such a way that most SSL tests find it unacceptable.

Is there a way to bypass Plesk and create my CSR with the proper settings from CentOS shell for my domain name? My CentOS version is the below

LSB Version:      :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:      CentOS
Description:      CentOS release 5.5 (Final)
Release:      5.5
Codename:      Final

Apache/2.2.3 (CentOS) (Aug 30 2010 12:32:08)

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Dec 15 10:27:47 EST 2010
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  padlock dynamic

This server has several other virtual hosts hosted in it, but multiple IP addresses

Here is the result from Qualsys SSL test:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

Configuration

Protocols
TLS 1.2	No
TLS 1.1	 No
TLS 1.0	 Yes
SSL 3	Yes
SSL 2   INSECURE	Yes


Cipher Suites (sorted by strength; the server has no preference)
SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE	40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE	40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK	40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK	40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK	40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK	40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE	56
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK	56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	56
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE	128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE	112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	256

Open in new window

0
sk391
Asked:
sk391
  • 3
  • 2
2 Solutions
 
Milind KoyandeCommented:
Can you please write down the steps you follow to generate CSR for the domain?
0
 
sk391Author Commented:
Yes sure, I just go into my plesk gui, and I choose "Generate CSR", and enter the certificate information.

I am wondering if it's a problem with Plesk being too old, or just that it's better to request the certificate thorough the openssl commandline?

Thank you
0
 
Milind KoyandeCommented:
Can you please follow the steps given at http://www.alphassl.com/support/create-csr/plesk.html ?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
sk391Author Commented:
thank you, this is what i have done, and i am getting the above results from the ssl test.

it has been installed successfully but the cipher suites supported and the configuration is insecure.

I guess plesk in the background utilizes openssl to generate the cert, so it might just be a problem of my old version?
0
 
LinuxGuruLinux Server AdministratorCommented:
Greetings,

There is no such known problem when CSR is generated from Plesk. Could you please test the SSL at the following url and provide the results?

http://www.digicert.com/help/

OR

http://www.sslshopper.com/ssl-checker.html

Thank you!
0
 
sk391Author Commented:
Thank you it seems OK, even though Qualsys SSL test shows some vulnerabilities because of supported cipher suites.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now