learning_curve
Golden Pleskian
As per the thread title really... Our question is, why is this situation present in a new RTM Plesk release? Is it just because it's only at Early Adopter status curently? That would be fair and make sense @Anthony maybe you could advise on the reasons for this? An associated question would be; will sw-cp-server therefore be re-compliled and run TLSv1.3 by default before Obsidian is provided at General Release status? That would be nice to hear.
One of the things that Obsidian has been promoted for, is fully supporting TLSv1.3, which it now does, apart from... the actual Plesk panel itself! It does seem bizzare, that if we were to upgrade to Obsidian now, our Host-Domain:8443 would technically be less secure (TLSv1.2 v TLSv1.3) than it is now on Onyx 17.8.11?
FWIW We ran the Obsidian upgrade process, which did run very smoothly and with no problems for us. Once on Obsidian everything (on our specific setup anyway) appeared to work very well during the short time that we ran it. After running many varied checks & tests, we then reverted back to Onyx 17.8.11 via server snapshot. We can now work through the questions that were raised, but at a nice leisurely pace before we upgrade to Obsidian for real.
The OpenSSL version that the Obsidian nginx package has been compliled with is the reason for TLSv1.2 by default (we think!) but here are the two different sw-cp-server Nginx details for comparison: First is our current Onyx 17.8.11
and here's the Obsidian upgrade (complete with an old OpenSSL version...)
One of the things that Obsidian has been promoted for, is fully supporting TLSv1.3, which it now does, apart from... the actual Plesk panel itself! It does seem bizzare, that if we were to upgrade to Obsidian now, our Host-Domain:8443 would technically be less secure (TLSv1.2 v TLSv1.3) than it is now on Onyx 17.8.11?
FWIW We ran the Obsidian upgrade process, which did run very smoothly and with no problems for us. Once on Obsidian everything (on our specific setup anyway) appeared to work very well during the short time that we ran it. After running many varied checks & tests, we then reverted back to Onyx 17.8.11 via server snapshot. We can now work through the questions that were raised, but at a nice leisurely pace before we upgrade to Obsidian for real.
The OpenSSL version that the Obsidian nginx package has been compliled with is the reason for TLSv1.2 by default (we think!) but here are the two different sw-cp-server Nginx details for comparison: First is our current Onyx 17.8.11
Code:
Plesk Onyx Version 17.8.11 Update #68
~# sw-cp-serverd -V
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments:
--prefix=/usr/share
--sbin-path=/usr/sbin/sw-cp-serverd
--conf-path=/etc/sw-cp-server/config
--error-log-path=/var/log/sw-cp-server/error_log
--http-log-path=/var/log/sw-cp-server/access.log
--lock-path=/var/lock/sw-cp-server.lock
--pid-path=/run/sw-cp-server.pid
--http-client-body-temp-path=/var/lib/sw-cp-server/body
--http-fastcgi-temp-path=/var/lib/sw-cp-server/fastcgi
--http-proxy-temp-path=/var/lib/sw-cp-server/proxy
--http-scgi-temp-path=/var/lib/sw-cp-server/scgi
--http-uwsgi-temp-path=/var/lib/sw-cp-server/uwsgi
--user=sw-cp-server --group=sw-cp-server
--with-ipv6
--with-file-aio
--with-http_ssl_module
--with-http_v2_module
--with-http_gzip_static_module
--with-http_auth_request_module
--add-module=/home/builder/buildbot/microupdate/PLESK_17_8/build/unix/plesk/packages/sw-cp-server/work/lua-nginx-module-0.10.13
--add-module=/home/builder/buildbot/microupdate/PLESK_17_8/build/unix/plesk/packages/sw-cp-server/work/ngx_devel_kit-0.3.0
~#
Code:
Plesk Obsidian RTM 18.019.2
~# sw-cp-serverd -V
nginx version: nginx/1.16.1
built with OpenSSL 1.1.0g 2 Nov 2017 (running with OpenSSL 1.1.1 11 Sep 2018)
TLS SNI support enabled
configure arguments:
--prefix=/usr/share
--sbin-path=/usr/sbin/sw-cp-serverd
--conf-path=/etc/sw-cp-server/config
--error-log-path=/var/log/sw-cp-server/error_log
--http-log-path=/var/log/sw-cp-server/access.log
--lock-path=/var/lock/sw-cp-server.lock
--pid-path=/run/sw-cp-server.pid
--http-client-body-temp-path=/var/lib/sw-cp-server/body
--http-fastcgi-temp-path=/var/lib/sw-cp-server/fastcgi
--http-proxy-temp-path=/var/lib/sw-cp-server/proxy
--http-scgi-temp-path=/var/lib/sw-cp-server/scgi
--http-uwsgi-temp-path=/var/lib/sw-cp-server/uwsgi
--user=sw-cp-server --group=sw-cp-server
--with-file-aio
--with-http_ssl_module
--with-http_v2_module
--with-http_gzip_static_module
--with-http_auth_request_module
--add-module=ngx_devel_kit
--add-module=lua-nginx-module
~#