• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Plesk 17.8.11 / Ubuntu 18.04.3 LTS / OpenSSL / TLSv1.3

learning_curve

Golden Pleskian
At the time of posting, here's a brief snapshot of the current situation for Plesk 17.8.11 / Ubuntu 18.04.2:

A) Ubuntu have back-ported OpenSSL 1.1.1 for Ubuntu 18.04.2 LTS. The OS does now fully support TLSv1.3
B) Running all your domains (but not your host domain:8443) on Plesk 17.8.11 / Ubuntu 18.04.2 however, does NOT support the use of TLSv1.3. Why? See C)
C) Plesk 17.8.11 was compiled some time ago using the now 'legacy' 1.14.2 version of Nginx and with an earlier OpenSSL 1.1.0 release, which doesn't support TLSv1.3. This can be seen clearly via CLI:
Code:
# openssl version
OpenSSL 1.1.1 11 Sep 2018

# apt-cache policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.1
Candidate: 1.1.1-1ubuntu2.1~18.04.1
Version table:
*** 1.1.1-1ubuntu2.1~18.04.1 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0g-2ubuntu4.3 500
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
1.1.0g-2ubuntu4 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

# nginx -V
nginx version: nginx/1.14.2
built with OpenSSL 1.1.0g 2 Nov 2017 (running with OpenSSL 1.1.1 11 Sep 2018)
TLS SNI support enabled
configure arguments: ~~
D) If you're running your host domain:8443 on Plesk 17.8.11 / Ubuntu 18.04.2 however, TLSv1.3 is now the default here - i.e. there is no choice. This is due to an ealier Nginx bug. See below****
E) The CLI check correctly shows:
Code:
sw-cp-serverd -V
nginx version: nginx/1.11.10
built with OpenSSL 1.1.0g 2 Nov 2017 (running with OpenSSL 1.1.1 11 Sep 2018)
TLS SNI support enabled
F) You can't easily re-configure or change this (yet) although ironically, we actually see this 'host - domain:8443 TLSv1.3 by default' as more of a happy, if somewhat messy, accident but your opinion may vary ;)
G) The end result is a Plesk Configured Hosting Mis-Match and to be fair that's an untenable position really.
H) Either; All domains AND the host domain:8443 should all support TLSv1.3 or none of them should support TLSv1.3 (yet). The current 'half and half, close but no cigar, we're still figuring it out' type situation could & should have been avoided by Plesk o_O
I) To add context, there's no real, qualifiable, added security risk as a result of the current mis-match and the most likely Plesk response could be 'well upgrade to Obsidian then..." but many Plesk users won't be ready to early adopt Obsidian (us included) so that's not really the answer. 17.8.11 is (arguably) the current stable Plesk release.
J) This does goes back to the well overdue promise (search this forum :D) of "...yes a re-worked sw-cp-server from Plesk will be released soon..." :rolleyes:
K) This now really DOES need to happen (in our opinion) and should be released at the same time, as an upgrade of 17.8.11 which would include upgraded Nginx / compiled content / support for TLSv1.3 / other improvements etc
L) Assuming this ^^ does actually happen, both should be compiled with Nginx 1.16.* or later :cool: Fingers crossed then!

**** Bug
The bug affecting the 17.8.11 was fixed by Nginx at release 1.14.2 - SEE HERE
The bug affecting the sw-cp-server was fixed by Nginx at release 1.15.6 - SEE HERE However, sw-cp-server still uses the very, very old 1.11.10 nginx releaase and thus, the bug is still operative so it's TLSv1.3 by default...

@Dukemaster This has some relevance to your separate thread on TLSv1.3 ciphers




 
As we now currently understand it, Onyx will not be re-worked to support TLSv1.3, but feel free to re-verify this yourself if you believe this to be incorrect. The only "official" TLSv1.3 option is / will be Obsidian (which at the time of writing, is still a long way from being made a Plesk stable release).

Ubuntu 18.04.2 'appears to be' the first LTS OS to provide OpenSSL 1.1.1 by default now, but all the others OS LTS will follow.

If all the other LTS O/S only follow AFTER Obsidian is officially released by Plesk, then arguably (!) the current Plesk policy makes sense. If they follow BEFORE Obsidian is officially released by Plesk, then their non-commital policy, will have been shot to bits and therefore, must be revised ASAP. So, don't hold your breath waiting for TLSv1.3 on Onxy 17.5.3 or 17.8.1 (specifically if you're using Ubuntu 18.04 LTS because at present) as it's a case of "...here's what you already have, but cannot use when using Plesk Onxy..." :rolleyes:
 
Amazing... Credit where credit is due ;) Plesk have FINALLY sorted out their TLSv1.3 issues on the stable release status 17.8.11. Didn't see that one coming!

We are now, sucessfully running Plesk 17.8.11 on Ubuntu 18.04.3 LTS with TLSv1.3 on all of our hosted domains AND on our host domain:8443 (Plesk Panel)

Better late than never :D but Thank YOU Plesk - This ticket is COMPLETE!
 
Back
Top