When SSLLabs flags your server for SSLv2 vulnerability, it's not just a recommendation - it's a critical security flaw. The POODLE attack and other exploits make SSLv2 fundamentally insecure, and modern compliance standards (like PCI DSS) explicitly prohibit its use.
The configuration you tried is actually correct in principle:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORTBut in Plesk environments, there are several layers where SSL settings can be overridden:
- Plesk's own SSL management interface
- Virtual host templates
- Apache includes that regenerate on service restart
Here's the bulletproof method I've used on dozens of Plesk 10.x servers:
1. Permanent Configuration Changes
Edit /etc/httpd/conf.d/ssl.conf and add these directives before any VirtualHost definitions:
# Disable insecure protocols
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Modern cipher suite (adjust based on your client requirements)
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH2. Plesk-Specific Fixes
Create or modify /etc/httpd/conf.d/zz010_psa_httpd.conf:
<IfModule mod_ssl.c>
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
SSLProxyCipherSuite HIGH:!aNULL:!MD5:!RC4:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
</IfModule>3. Verification Steps
After restarting Apache (service httpd restart), verify with:
openssl s_client -connect yourdomain.com:443 -ssl2You should see:
140735326299488:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:For environments with multiple domains, create a global configuration file at /etc/httpd/conf.d/00-ssl-security.conf:
<VirtualHost *:443>
# These settings will apply to all vhosts
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLCompression off
SSLSessionTickets off
</VirtualHost>For 2023+ security standards, consider this setup:
SSLCipherSuite TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:
TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AESRemember to test your configuration with:
nmap --script ssl-enum-ciphers -p 443 yourdomain.comWhen running security scans on my Plesk 10.3.1 CentOS server using SSL Labs' analyzer, I discovered my Apache HTTPD configuration was still allowing the obsolete SSLv2 protocol. This is particularly dangerous because:
- SSLv2 has known cryptographic weaknesses (e.g., DROWN attack vulnerability)
- PCI DSS compliance requires disabling SSLv2
- Modern browsers don't even support it anymore
The usual approach of modifying /etc/httpd/conf.d/ssl.conf often doesn't work in Plesk because:
# Plesk regenerates configuration files during:
1. Service restarts
2. Domain modifications
3. Scheduled maintenance
4. Panel updates
For Plesk servers, we need to modify the template files that generate the final configuration:
# For Apache 2.2 (common in Plesk 10.x):
sudo nano /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php
# Look for SSLProtocol directives and replace with:
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
Then regenerate configurations:
# Rebuild all domain configurations
/usr/local/psa/admin/sbin/httpdmng --reconfigure-all
# Restart Apache (CentOS 6)
service httpd restart
# For CentOS 7+:
systemctl restart httpd
After making changes, verify with:
openssl s_client -connect yourdomain.com:443 -ssl2
You should see:
CONNECTED(00000003)
140735242610656:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
For comprehensive protection, consider:
# Disable insecure renegotiation
SSLInsecureRenegotiation off
# Enable HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# Disable SSL Compression
SSLCompression off
Remember to test after each modification using:
curl -I -v --sslv2 https://yourdomain.com
curl -I -v --sslv3 https://yourdomain.com