• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Enabling TLS 1.2 and 1.3 - Not working

O

octet

Basic Pleskian
Hi guys,

Trying to remove the support for TLS 1.0 and 1.1 and enable only 1.2 and 1.3.

So far I did the following:

Code: 
[root@ufo cache]# plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
SUCCESS: Server preferences are successfully updated
[root@ufo cache]# /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'
SUCCESS: Server preferences are successfully updated
[root@ufo cache]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@ufo cache]# service nginx restart
Restarting nginx (via systemctl):                          [  OK  ]

Checking on the domain level:

Code: 
[root@ufo cache]# nmap --script ssl-enum-ciphers -p 443 www.domain.com | grep -E "TLSv|SSLv"
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:

Server level seems fine:

Code: 
[root@ufo cache]# /usr/local/psa/bin/server_pref -s | grep ssl-*
ssl-protocols:    TLSv1.2 TLSv1.3
ssl-ciphers:    ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
ssl-cipher-server-order:    true
[root@ufo cache]#

SSL It configuration is set on Modern:

2020-02-02_16-04-50.jpeg


What am I doing wrong?
 
which OS du you have and whats the output of /etc/nginx/conf.d/ssl.conf
 
Centos

Code: 
[root@ufo cache]# cat /etc/nginx/conf.d/ssl.conf
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
 
Thanks for the tip, I've modified the ssl.conf and restarted nginx, now I get:

2020-02-02_17-26-48.jpeg


internet.nl says:

2020-02-02_17-29-05.jpeg


Should I remove some of the Ciphers?
 
an example looks like:
Code: 
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
 
Brujo said:
an example looks like:
Code: 
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
Click to expand...

You might wanna tell me (I'm on Debian btw) this not the default configuration is. Seems for me much better then the default one.
I personally prefer ECDSA over RSA but thats also possible with your config.
Would vote for your config to be default!
 
Yes, in fact this is not the standard configuration, rather a general configuration for normal web sites/servers. Well, the settings for TLS are very individual and are designed to suit the needs of the user to get the best possible result. In my opinion, the way Plesk currently does it, based on Mozilla, is basically good for the majority of Plesk users. Since there are always new features, you can alternatively use the Mozilla Generator.
 
How are you enabling TLS 1.3 in Centos 7 which uses openSSL 1.0.2 or are you using Centos 8? Does Obsidian change server config to permit TLS 1.3 when using Centos 7?
 
You must log in or register to reply here.

Similar threads

O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
D
Issue Can't enable TLSv1 and TLSv1.1 on Ubuntu 22.04
Replies
4
Views
7K
omniscient
O
E
Issue TLS 1.2 and 1.3 only
Replies
2
Views
2K
Benemortasia
B
O
Forwarded to devs Nginx compile by Plesk and chipers
Replies
2
Views
1K
OverWolf
O
M
Issue TLS/SSL configuration - DHE ciphers not working
Replies
5
Views
3K
learning_curve
learning_curve
Back
Top