• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs Nginx compile by Plesk and chipers

OverWolf

Regular Pleskian
Username:

TITLE


Nginx compile by Plesk and chipers

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.39 Update #2, CentOS 7.9.2009

PROBLEM DESCRIPTION

In my configuration TLS 1.3 isn't implementable but with nginx complied by Plesk, I can secure my domains with the last version. I use Let'sEncrypt to secure domains and I have nginx as a proxy. Every domain is secure with TLS_AES_256_GCM_SHA384 but I would like to use TLS_AES_128_GCM_SHA256

I have followed this guide https://support.plesk.com/hc/en-us/...able-TLS-protocol-versions-in-Plesk-for-Linux but withou any success.

STEPS TO REPRODUCE

if I try to set up new chipers to use FIRST AES128 with this command :

Code:
plesk bin server_pref -u -ssl-ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305'

I have this error

Code:
AH00526: Syntax error on line 81 of /etc/httpd/conf.d/ssl.conf:
SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers ('XXX:...:XXX' - see manual)

ACTUAL RESULT

I cannot change chipers and domain have a connection encrypted with TLS_AES_256_GCM_SHA384

EXPECTED RESULT

I can use TLS_AES_128_GCM_SHA256 with TLS 1.3

ANY ADDITIONAL INFORMATION

Question - Nginx compile by Plesk and chipers

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out
 
As stated in https://support.plesk.com/hc/en-us/...able-TLS-protocol-versions-in-Plesk-for-Linux, TLS 1.3 isn't available in Apache on CentOS 7. The "plesk bin server_pref -u -ssl-ciphers" command changes settings for both Apache and nginx and therefore can't be used in your case. To set the ciphers for nginx only, please use the command:
Code:
# plesk sbin sslmng -s nginx --ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305'
instead.
 
Hi Igor,

the command you post give me no error, but the result don't change. If I reissue certificate from Let's Encrypt, it give me a connection encrypted with TLS_AES_256 and not TLS_AES_128 as I would expect. So the 'problem' it's somewhere else
 
Back
Top