Solved

Generate CSR on Plesk9.5.3 CentOS server

Posted on 2014-01-27
6
891 Views
Last Modified: 2014-01-28
Hi, I run a small website on an old plesk 9.5 server (CentOS)

When I request the CSR through Plesk, the resulting cert seems to be configured in such a way that most SSL tests find it unacceptable.

Is there a way to bypass Plesk and create my CSR with the proper settings from CentOS shell for my domain name? My CentOS version is the below

LSB Version:      :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:      CentOS
Description:      CentOS release 5.5 (Final)
Release:      5.5
Codename:      Final

Apache/2.2.3 (CentOS) (Aug 30 2010 12:32:08)

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Dec 15 10:27:47 EST 2010
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  padlock dynamic

This server has several other virtual hosts hosted in it, but multiple IP addresses

Here is the result from Qualsys SSL test:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

Configuration

Protocols
TLS 1.2	No
TLS 1.1	 No
TLS 1.0	 Yes
SSL 3	Yes
SSL 2   INSECURE	Yes


Cipher Suites (sorted by strength; the server has no preference)
SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE	40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE	40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK	40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK	40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK	40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK	40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE	56
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK	56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	56
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE	128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE	112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	256

Open in new window

0
Comment
Question by:sk391
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Milind Koyande
Comment Utility
Can you please write down the steps you follow to generate CSR for the domain?
0
 
LVL 1

Author Comment

by:sk391
Comment Utility
Yes sure, I just go into my plesk gui, and I choose "Generate CSR", and enter the certificate information.

I am wondering if it's a problem with Plesk being too old, or just that it's better to request the certificate thorough the openssl commandline?

Thank you
0
 
LVL 7

Accepted Solution

by:
Milind Koyande earned 250 total points
Comment Utility
Can you please follow the steps given at http://www.alphassl.com/support/create-csr/plesk.html ?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:sk391
Comment Utility
thank you, this is what i have done, and i am getting the above results from the ssl test.

it has been installed successfully but the cipher suites supported and the configuration is insecure.

I guess plesk in the background utilizes openssl to generate the cert, so it might just be a problem of my old version?
0
 
LVL 13

Assisted Solution

by:LinuxGuru
LinuxGuru earned 250 total points
Comment Utility
Greetings,

There is no such known problem when CSR is generated from Plesk. Could you please test the SSL at the following url and provide the results?

http://www.digicert.com/help/

OR

http://www.sslshopper.com/ssl-checker.html

Thank you!
0
 
LVL 1

Author Comment

by:sk391
Comment Utility
Thank you it seems OK, even though Qualsys SSL test shows some vulnerabilities because of supported cipher suites.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now