steering allowed SSLCiphers (negative >noCBC; positive >only GCM) for all System-layers (mail, Plesk-Login, Apache, Nginx) via Plesk
Optimizing the Quality of SSL-/TLS-Encryption at Plesk-driven Servers is very complicated...
... while the importance of a high-level encryption - not only since Edward Snowden - is of considerable importance.
http://www.kuketz-blog.de/nsa-abhoersichere-ssl-verschluesselung-fuer-apache-und-nginx/ (best article / only available in german)
Please implement the possibility for defining/steering not/allowed Ciphers and not/allowed SSL-protocols directly via PleskPanel.
This function should include ALL System-layers like: mail, webmail, Plesk-Login, SSH, PHP- or JAVA-Apps/Tomcat, Apache, Nginx, ...
THANK YOU VERY MUCH
Over the course of nine years this feature request has only received a handful of votes - although we had merged it with a similar request to get the full number of votes for both. We basically understand the need for top level security, but this feature seems not to be popular among users.
Even the rather extreme kuketz-blog article says: "The technology for protection against spying is available – but hardly anyone uses it." which is another indication that hardly anyone is interested in specific configurations that harden servers to the extent where powerful players have difficulties reading traffic.
Plesk allows using a "perfect security" configuration, but it seems that only very few individuals are actually interested in it and understand why this can make sense in some cases. As a responsible administrator who wants to provide perfect security to users you can implement it into your server along with Plesk today already. Implementing an interface for managing such configurations is a big effort, while we see very little interest from users in actually using such configuration options.
It is also a big question, if a typical web hoster's customer needs such a high level of encryption for example for running a shop website, a forum or the typical mass business website.
This brought us to the conclusion that this request has to be declined for now. Should new developments become known or users start developing more interest in security hardening and management, we'll be happy to review this topic again.
I already did it by manually editing configs! But do it for evearyone ;)
John A. shiells commented
there should be some UI for enabling PCI compliance, and the new "advisor" extension should also be checking for this stuff
Christian Heutger commented
For the first step would be great to automatically apply:
plesk sbin sslmng -vvv --strong-dh --dhparams-size=2048
plesk sbin sslmng --ciphers="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" --protocols="TLSv1.2" --services="proftpd sw-cp-server nginx apache autoinstaller dovecot" --custom -vvv
Also such settings should be possible, without changing different config-files:
Alan Shea commented
managing cipher suites would be enormously helpful.
Christian Heutger commented
Similar PCI settings should be manageable centralized