• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question OpenSSL 1.1.1 for TLS 1.3 on Plesk Obsidian (CloudLinux 7.7)... when?

MicheleB

Regular Pleskian
Hello,
I'd like to know when will be available the last version of OpenSSL 1.1.1 on Plesk Obsidian (I've the old 1.0.2k-fips 26 Jan 2017 on my CloudLinux 7.7).

Now from 31th January all the websites hosted on the my cloud server are receiving on ssllabs.com a downgrade from "A+" to "B" because is missing the TLS 1.3 protocol.

I know that is possibile to activate TLS 1.3 also without opensssl 1.1.1 using "nginx only" but I need to have the Apache support:

Someone from Plesk Staff could give me more information about OpenSSL 1.1.1 which is required for TLSv1.3 for Apache?
Thanks.
 
Hello,

I know that is possibile to activate TLS 1.3 also without opensssl 1.1.1 using "nginx only" but I need to have the Apache support
It doesn't applicable only for "nginx only", but also should work in "nginx behind apache".

Someone from Plesk Staff could give me more information about OpenSSL 1.1.1 which is required for TLSv1.3 for Apache?
We are not provide own apache builds, but use provided by OS vendor. So you need to ask this question to CloudLinux.

Thanks,
 
It doesn't applicable only for "nginx only", but also should work in "nginx behind apache".
Ok, but if I read correctly the above yours article "Can TLS 1.3 be enabled in Plesk?", "nginx behind apache" is only possible with Ubuntu 18.04 and Debian 9 because are the only ones who have OpenSSL version 1.1.1... is it correct?

We are not provide own apache builds, but use provided by OS vendor. So you need to ask this question to CloudLinux.
Thanks,
I asked to CloudLinux but they said me is necessary to wait that RedHat updates it in their repositories for CentOS7 but they don't know when and if will happen.
Sometimes I curse the day I followed my hosting provider's advice to switch from Debian (free) to CloudLinux (payment)...
 
Hello,

Ok, but if I read correctly the above yours article "Can TLS 1.3 be enabled in Plesk?", "nginx behind apache" is only possible with Ubuntu 18.04 and Debian 9 because are the only ones who have OpenSSL version 1.1.1... is it correct?

Not exactly: in Plesk Obsidian, nginx for hosting compiled support TLS 1.3 on all supported oses since Aug 2019:
Code:
# plesk version
Product version: Plesk Obsidian 18.0.24.0
     OS version: CentOS 7.7.1908 x86_64
     Build date: 2020/02/07 23:00
       Revision: b3f863386a5e614fb2ea2c2cb5c4be91049d94a3
# nginx -V
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled

but nginx for Plesk itself support TLS1.3 only on modern Oses (Debian9, Ubuntu18.04).

I asked to CloudLinux but they said me is necessary to wait that RedHat updates it in their repositories for CentOS7 but they don't know when and if will happen.
Sometimes I curse the day I followed my hosting provider's advice to switch from Debian (free) to CloudLinux (payment)...
It's sad, but even on Debian9 and Ubuntu18.04 Apache version is too low to have support of TLS1.3
 
Now from 31th January all the websites hosted on the my cloud server are receiving on ssllabs.com a downgrade from "A+" to "B" because is missing the TLS 1.3 protocol.
afaik it is not of missing TLS1.3 insteed do to the fact that you have still TLS 1.0 & 1.1 enabled. So within enabled TLS 1.2 and the right chiper settings you will be fine for some time
please see: SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols | Qualys Blog
Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.
 
Last edited:
any update for this topic to get a+ rating again?

If tsl1.0 is turned off for Plesk Obsidian 18.0.27 will this still affect Plesk Premium Antivirus?
If so what free alternative is there?
 
It's sad, but even on Debian9 and Ubuntu18.04 Apache version is too low to have support of TLS1.3

I would like to use python 3 script (3.8 or later) that also has requirement for OpenSSL 1.1 or later. What are my options along side running plesk Version 18.0.59 Update #2, last updated on Mar 5, 2024 12:06 PM?
 
Just to follow up on this the issue I was having is that python app expecting OpenSSL 1.1 to be installed. I was able to get around this by installing OpenSSL 1.1 e.g. yum install openssl11 openssl11-devel and then compile python to point at this version when compiling. I was then able to run python app without issue.

The way to get the correct flags passed to the compiler and linker is to set CFLAGS and LDFLAGS as environmental variables like so
Code:
export CFLAGS="$CFLAGS $(pkg-config --cflags openssl11)"
export LDFLAGS="$LDFLAGS $(pkg-config --libs openssl11)"


afaict, Plesk running on centos 7 still has dependency on OpenSSL 1.0.2
 
Back
Top