Default Cipher List with CentOS 7 and Plesk Onyx

Support for security such as Firewalls and securing linux
Post Reply
QuotesUK
Posts: 3
Joined: 2018/07/30 17:17:17

Default Cipher List with CentOS 7 and Plesk Onyx

Post by QuotesUK » 2018/07/30 17:27:13

Please can someone tell me what the default cipher list is for CentOS 7 and Plesk Onyx?

I am currently using CentOS 6 with Plesk Onyx with 'insecure' ciphers removed.

I know that this question may depend on other factors such as Open SSL, etc, but what I am trying to find out is what my starting out situation may be, and whether I need to ask my new hosting provider to remove any ciphers (which may involve an extra cost). It would also be useful to know whether any newer ciphers are also available such as ChaChaPoly etc.

If anyone has a fresh CentOS 7 and Plesk Onyx installation and hasn’t modified the cipher list please can you visit https://www.ssllabs.com/ssltest/analyze.html and see what you have installed.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Default Cipher List with CentOS 7 and Plesk Onyx

Post by avij » 2018/07/30 19:53:11

The default cipher list is very likely more dependant on Plesk than CentOS. You should probably ask this on Plesk support forums instead.

QuotesUK
Posts: 3
Joined: 2018/07/30 17:17:17

Re: Default Cipher List with CentOS 7 and Plesk Onyx

Post by QuotesUK » 2018/07/30 20:59:46

I apologise for not knowing all the dependencies but after upgrading Plesk to Onyx my server emerged with an explanation that Apache, as part of CentOS 6, was left at an older version, and as such incapable of support for http/2 or newer ciphers (although you can get http/2 with an nginx workaround). And now I have to change hardware to get CentOS 7.

I do realise that neither Plesk nor Centos directly specify the cipher list. However various packages get bundled together, so CentOS 7 should come with a particular version of Apache, Open SSL, etc. I think I am far more likely to come across someone with a CentOS7-Plesk combination on these forums than in Plesk forums or elsewhere and would appreciate it if the moderating team would be tolerant of my request to help me. Also, I am fairly sure there are others who may be upgrading to 7 at some point and want to know the same info.

Of course we may get there in a roundabout way, by saying CentOS 7 is packaged with certain Apache or Open SSL, then that could provide the same answer, namely if you have a fresh install of CentOS 7 then what ciphers are specified at the outset. For anyone with a fresh installation this info should be easy to discover. I hope this topic will be kept open but if I find the answer somewhere else I will come back and update you.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Default Cipher List with CentOS 7 and Plesk Onyx

Post by avij » 2018/07/30 22:06:38

The default CentOS config has this (from mod_ssl-2.4.6-80.el7.centos.x86_64.rpm):

Code: Select all

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
You should be able to get better answers if you ask this from Plesk. We support what we ship, and Plesk is a third party product, which can have different defaults than what is in CentOS.

If you want to change the available ciphers then that is definitely a Plesk issue. Plesk has likely some point&click interface for this task. So perhaps head to Plesk directly with this issue?

QuotesUK
Posts: 3
Joined: 2018/07/30 17:17:17

Re: Default Cipher List with CentOS 7 and Plesk Onyx

Post by QuotesUK » 2018/07/31 09:32:08

Thank you for your help avij. I asked on Plesk forums too, as you suggested and I got a slightly different answer.

Your response doesn’t clearly identify which ciphers are used and this topic https://www.experts-exchange.com/questi ... ocols.html suggests that it probably contains insecure ciphers.

The reply from https://talk.plesk.com/threads/default- ... yx.349015/ offers a test URL, which confirmed that Insecure ciphers were not included. However I noted that the test said the response was from nginx rather than apache.

I know these settings can be changed. However it appears the default configuration will include Insecure ciphers and I need to ask my hosting provider to modify them when they commission my new server.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Default Cipher List with CentOS 7 and Plesk Onyx

Post by avij » 2018/07/31 10:19:18

If you have access to your web server config (one way or another) you can remove any ciphers you deem insecure without bothering your provider. Adding more secure ciphers is more difficult, and I'd avoid opening that Pandora's box if at all possible.

Post Reply