learning_curve
Golden Pleskian
At the time of posting, here's a brief snapshot of the current situation for Plesk 17.8.11 / Ubuntu 18.04.2:
A) Ubuntu have back-ported OpenSSL 1.1.1 for Ubuntu 18.04.2 LTS. The OS does now fully support TLSv1.3
B) Running all your domains (but not your host domain:8443) on Plesk 17.8.11 / Ubuntu 18.04.2 however, does NOT support the use of TLSv1.3. Why? See C)
C) Plesk 17.8.11 was compiled some time ago using the now 'legacy' 1.14.2 version of Nginx and with an earlier OpenSSL 1.1.0 release, which doesn't support TLSv1.3. This can be seen clearly via CLI:
D) If you're running your host domain:8443 on Plesk 17.8.11 / Ubuntu 18.04.2 however, TLSv1.3 is now the default here - i.e. there is no choice. This is due to an ealier Nginx bug. See below****
E) The CLI check correctly shows:
F) You can't easily re-configure or change this (yet) although ironically, we actually see this 'host - domain:8443 TLSv1.3 by default' as more of a happy, if somewhat messy, accident but your opinion may vary
G) The end result is a Plesk Configured Hosting Mis-Match and to be fair that's an untenable position really.
H) Either; All domains AND the host domain:8443 should all support TLSv1.3 or none of them should support TLSv1.3 (yet). The current 'half and half, close but no cigar, we're still figuring it out' type situation could & should have been avoided by Plesk
I) To add context, there's no real, qualifiable, added security risk as a result of the current mis-match and the most likely Plesk response could be 'well upgrade to Obsidian then..." but many Plesk users won't be ready to early adopt Obsidian (us included) so that's not really the answer. 17.8.11 is (arguably) the current stable Plesk release.
J) This does goes back to the well overdue promise (search this forum ) of "...yes a re-worked sw-cp-server from Plesk will be released soon..."
K) This now really DOES need to happen (in our opinion) and should be released at the same time, as an upgrade of 17.8.11 which would include upgraded Nginx / compiled content / support for TLSv1.3 / other improvements etc
L) Assuming this ^^ does actually happen, both should be compiled with Nginx 1.16.* or later Fingers crossed then!
**** Bug
The bug affecting the 17.8.11 was fixed by Nginx at release 1.14.2 - SEE HERE
The bug affecting the sw-cp-server was fixed by Nginx at release 1.15.6 - SEE HERE However, sw-cp-server still uses the very, very old 1.11.10 nginx releaase and thus, the bug is still operative so it's TLSv1.3 by default...
@Dukemaster This has some relevance to your separate thread on TLSv1.3 ciphers
A) Ubuntu have back-ported OpenSSL 1.1.1 for Ubuntu 18.04.2 LTS. The OS does now fully support TLSv1.3
B) Running all your domains (but not your host domain:8443) on Plesk 17.8.11 / Ubuntu 18.04.2 however, does NOT support the use of TLSv1.3. Why? See C)
C) Plesk 17.8.11 was compiled some time ago using the now 'legacy' 1.14.2 version of Nginx and with an earlier OpenSSL 1.1.0 release, which doesn't support TLSv1.3. This can be seen clearly via CLI:
Code:
# openssl version
OpenSSL 1.1.1 11 Sep 2018
# apt-cache policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.1
Candidate: 1.1.1-1ubuntu2.1~18.04.1
Version table:
*** 1.1.1-1ubuntu2.1~18.04.1 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0g-2ubuntu4.3 500
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
1.1.0g-2ubuntu4 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
# nginx -V
nginx version: nginx/1.14.2
built with OpenSSL 1.1.0g 2 Nov 2017 (running with OpenSSL 1.1.1 11 Sep 2018)
TLS SNI support enabled
configure arguments: ~~
E) The CLI check correctly shows:
Code:
sw-cp-serverd -V
nginx version: nginx/1.11.10
built with OpenSSL 1.1.0g 2 Nov 2017 (running with OpenSSL 1.1.1 11 Sep 2018)
TLS SNI support enabled
G) The end result is a Plesk Configured Hosting Mis-Match and to be fair that's an untenable position really.
H) Either; All domains AND the host domain:8443 should all support TLSv1.3 or none of them should support TLSv1.3 (yet). The current 'half and half, close but no cigar, we're still figuring it out' type situation could & should have been avoided by Plesk
I) To add context, there's no real, qualifiable, added security risk as a result of the current mis-match and the most likely Plesk response could be 'well upgrade to Obsidian then..." but many Plesk users won't be ready to early adopt Obsidian (us included) so that's not really the answer. 17.8.11 is (arguably) the current stable Plesk release.
J) This does goes back to the well overdue promise (search this forum ) of "...yes a re-worked sw-cp-server from Plesk will be released soon..."
K) This now really DOES need to happen (in our opinion) and should be released at the same time, as an upgrade of 17.8.11 which would include upgraded Nginx / compiled content / support for TLSv1.3 / other improvements etc
L) Assuming this ^^ does actually happen, both should be compiled with Nginx 1.16.* or later Fingers crossed then!
**** Bug
The bug affecting the 17.8.11 was fixed by Nginx at release 1.14.2 - SEE HERE
The bug affecting the sw-cp-server was fixed by Nginx at release 1.15.6 - SEE HERE However, sw-cp-server still uses the very, very old 1.11.10 nginx releaase and thus, the bug is still operative so it's TLSv1.3 by default...
@Dukemaster This has some relevance to your separate thread on TLSv1.3 ciphers