Solved

Generate CSR on Plesk9.5.3 CentOS server

Posted on 2014-01-27
6
906 Views
Last Modified: 2014-01-28
Hi, I run a small website on an old plesk 9.5 server (CentOS)

When I request the CSR through Plesk, the resulting cert seems to be configured in such a way that most SSL tests find it unacceptable.

Is there a way to bypass Plesk and create my CSR with the proper settings from CentOS shell for my domain name? My CentOS version is the below

LSB Version:      :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:      CentOS
Description:      CentOS release 5.5 (Final)
Release:      5.5
Codename:      Final

Apache/2.2.3 (CentOS) (Aug 30 2010 12:32:08)

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Dec 15 10:27:47 EST 2010
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  padlock dynamic

This server has several other virtual hosts hosted in it, but multiple IP addresses

Here is the result from Qualsys SSL test:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

Configuration

Protocols
TLS 1.2	No
TLS 1.1	 No
TLS 1.0	 Yes
SSL 3	Yes
SSL 2   INSECURE	Yes


Cipher Suites (sorted by strength; the server has no preference)
SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE	40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE	40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK	40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK	40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK	40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK	40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE	56
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK	56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	56
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE	128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE	112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	256

Open in new window

0
Comment
Question by:sk391
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Milind Koyande
ID: 39811331
Can you please write down the steps you follow to generate CSR for the domain?
0
 
LVL 1

Author Comment

by:sk391
ID: 39811343
Yes sure, I just go into my plesk gui, and I choose "Generate CSR", and enter the certificate information.

I am wondering if it's a problem with Plesk being too old, or just that it's better to request the certificate thorough the openssl commandline?

Thank you
0
 
LVL 7

Accepted Solution

by:
Milind Koyande earned 250 total points
ID: 39811349
Can you please follow the steps given at http://www.alphassl.com/support/create-csr/plesk.html ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:sk391
ID: 39811358
thank you, this is what i have done, and i am getting the above results from the ssl test.

it has been installed successfully but the cipher suites supported and the configuration is insecure.

I guess plesk in the background utilizes openssl to generate the cert, so it might just be a problem of my old version?
0
 
LVL 13

Assisted Solution

by:LinuxGuru
LinuxGuru earned 250 total points
ID: 39814218
Greetings,

There is no such known problem when CSR is generated from Plesk. Could you please test the SSL at the following url and provide the results?

http://www.digicert.com/help/

OR

http://www.sslshopper.com/ssl-checker.html

Thank you!
0
 
LVL 1

Author Comment

by:sk391
ID: 39815699
Thank you it seems OK, even though Qualsys SSL test shows some vulnerabilities because of supported cipher suites.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question