• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question changed nginx ssl.conf

moswak

Regular Pleskian
Some time ago we set up /etc/nginx/conf.d/ssl.conf on all servers

----
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
----

Now we notice that Plesk has changed this for a while

----
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
----

apart from the automatic plesk update, nothing was changed
How can that be ?
 
Some time ago we set up /etc/nginx/conf.d/ssl.conf on all servers

----
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
----

Now we notice that Plesk has changed this for a while

----
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
----

apart from the automatic plesk update, nothing was changed
How can that be ?
Plesk added one extra line to the existing /etc/nginx/conf.d/ssl.conf file: proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
As part of the upgrade to Plesk Obsidian 18.0.38 (think so anyway, but check your backups / file dates etc) You can see this, in your own post above.

You can control some of the important content of your own /etc/nginx/conf.d/ssl.conf file during upgrades (see all of the existing Plesk articles / documents etc re: ssl_protocols | ssl_min_protocol | plesk sbin sslmng ) so FWIW in our case (where we do) nothing else was altered & only that extra line was addded, which, is what we expected. There's nothing to prevent you from revising that additional line (if you want to) e.g. Say you don't want TLSv1 TLSv1.1 protocols etc Any other changes made, will be relate back to what upgrade control levels you've setup on your /etc/nginx/conf.d/ssl.conf file etc so they will need further work.

Edit: Here's one example: How to enable/disable TLS protocol versions in Plesk for Linux
 
It was desired that the tls1 and 1.1 e-mail services remain activated, which is why it is on the server
server_pref -u -ssl-protocols 'TLSv1 TLSv1.1 TLSv1.2'
set.
for nginx we had edited this extra so that TLSv1 TLSv1.1 are deactivated.
until the update to 18.0.38 that was always retained.
Ok then I know and we have to change it again afterwards with nginx.
 
Back
Top