Solved

Generate CSR on Plesk9.5.3 CentOS server

Posted on 2014-01-27
6
914 Views
Last Modified: 2014-01-28
Hi, I run a small website on an old plesk 9.5 server (CentOS)

When I request the CSR through Plesk, the resulting cert seems to be configured in such a way that most SSL tests find it unacceptable.

Is there a way to bypass Plesk and create my CSR with the proper settings from CentOS shell for my domain name? My CentOS version is the below

LSB Version:      :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:      CentOS
Description:      CentOS release 5.5 (Final)
Release:      5.5
Codename:      Final

Apache/2.2.3 (CentOS) (Aug 30 2010 12:32:08)

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Dec 15 10:27:47 EST 2010
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  padlock dynamic

This server has several other virtual hosts hosted in it, but multiple IP addresses

Here is the result from Qualsys SSL test:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

Configuration

Protocols
TLS 1.2	No
TLS 1.1	 No
TLS 1.0	 Yes
SSL 3	Yes
SSL 2   INSECURE	Yes


Cipher Suites (sorted by strength; the server has no preference)
SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE	40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE	40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK	40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK	40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK	40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK	40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE	56
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK	56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	56
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE	128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE	112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	256

Open in new window

0
Comment
Question by:sk391
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Milind Koyande
ID: 39811331
Can you please write down the steps you follow to generate CSR for the domain?
0
 
LVL 1

Author Comment

by:sk391
ID: 39811343
Yes sure, I just go into my plesk gui, and I choose "Generate CSR", and enter the certificate information.

I am wondering if it's a problem with Plesk being too old, or just that it's better to request the certificate thorough the openssl commandline?

Thank you
0
 
LVL 7

Accepted Solution

by:
Milind Koyande earned 250 total points
ID: 39811349
Can you please follow the steps given at http://www.alphassl.com/support/create-csr/plesk.html ?
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 1

Author Comment

by:sk391
ID: 39811358
thank you, this is what i have done, and i am getting the above results from the ssl test.

it has been installed successfully but the cipher suites supported and the configuration is insecure.

I guess plesk in the background utilizes openssl to generate the cert, so it might just be a problem of my old version?
0
 
LVL 13

Assisted Solution

by:LinuxGuru
LinuxGuru earned 250 total points
ID: 39814218
Greetings,

There is no such known problem when CSR is generated from Plesk. Could you please test the SSL at the following url and provide the results?

http://www.digicert.com/help/

OR

http://www.sslshopper.com/ssl-checker.html

Thank you!
0
 
LVL 1

Author Comment

by:sk391
ID: 39815699
Thank you it seems OK, even though Qualsys SSL test shows some vulnerabilities because of supported cipher suites.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question