• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved According to clients Chrome sometimes reports err_spdy_inadequate_transport_security

mr-wolf

Silver Pleskian
Plesk Guru
I received a screenshot of a client's client that Chrome could not connect to a website.
It reports "err_spdy_inadequate_transport_security"

This seems to be related to not having HTTP2 enabled, but I have that enabled.


SSLabs gives an "A-rating"
I would prefer an "A+ rating" and this may be related to this error it's giving:

"Server negotiated HTTP/2 with blacklisted suite"

Any idea how to resolve this?

The server is running Plesk 17.5.3 on an Ubuntu 16.04 LTS with nginx and http/2 enabled
 
I found HTTP/2 Support in Plesk

Is this part still valid?
#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

If that is needed to run properly why is it not configured by default that way?

This is what I currently have:
# cat /etc/nginx/conf.d/ssl.conf
Code:
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

It seems I need to disable some ciphers.
Should I just run the above command??

EDIT

I ran the above command and it now looks like this:
Code:
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

I'm still only getting an A-rating, but this doesn't mean it has not fixed it.....
 
Last edited:
You can check strictness of your enabled ciphers with

# nmap --script ssl-enum-ciphers -p 443 domain.com

at least. Also, add HSTS with something like:

add_header Strict-Transport-Security "max-age=31536000";
 
I was getting into more problems after invoking that command.
No Internet Explorer version was able to access any https site...
Went back to:
Code:
plesk sbin sslmng --services=nginx --custom --ciphers='HIGH:!aNULL:!MD5' --protocols='TLSv1 TLSv1.1 TLSv1.2

upload_2017-5-30_16-14-15.png
 
I gave my settings in the website Igor gave ( Generate Mozilla Security Recommended Web Server Configuration Files )
OpenSSL 1.0.1g / Nginx 1.10.1

When I choose modern I will get this:
Code:
plesk sbin sslmng --services=nginx --custom --ciphers='ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' --protocols='TLSv1 TLSv1.1 TLSv1.2'

It works with Windows 8 Explorer 11, but according to SSL Server Test (Powered by Qualys SSL Labs). It will not work with Android 4.3 and many other old browser.
Not a good idea.....

It seems intermediate is better and that will give me:
Code:
plesk sbin sslmng --services=nginx --custom --ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' --protocols='TLSv1 TLSv1.1 TLSv1.2'

Now I will have to find out if that also stops the initial problem a client of mine was having...
 
The "intermediate proposal" of the Firefox site gave me weak ciphers (3DES) when tested with SSL Server Test (Powered by Qualys SSL Labs)

The only browser using those weak ciphers was IE8 on Windows XP.
Because IE8 doesn't support SNI it will not work with virtual hosting anyhow.....

This setting will give me no weak ciphers, but still maximum compatibility:

Code:
plesk sbin sslmng --services=nginx --custom --ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS' --protocols='TLSv1 TLSv1.1 TLSv1.2'
 
The previous post is an interpretation of the SSLLabs website.
I still have a client claiming to have an issue connecting to the website.
Will keep you posted....

In the meantime...
How can I resolve this??

And is it possible to receive an A+ rating with the LetsEncrypt certificate and the OS/Plesk/Nginx combination??

upload_2017-5-31_12-18-15.png
 
And is it possible to receive an A+ rating with the LetsEncrypt certificate and the OS/Plesk/Nginx combination??

I have SSLlab's A+ with

# cat /etc/nginx/conf.d/ssl.conf
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
add_header Strict-Transport-Security "max-age=31536000";

# plesk version
Product version: Plesk Onyx 17.5.3 Update #7
Update date: 2017/05/30 15:37
Build date: 2017/03/17 16:00
OS version: CentOS 6.9
 
Mine stayed at A when using your ssl.conf
It did however stop to support many browsers (like Internet Explorer 10) and introduced some 3DES ciphers which SSLLabs claims to be weak.

I still wonder what is doing it for you.

I'm going back to this setting now to get that compatibility back.
It's what the Firefox page generated for Intermediate, from which I deleted the 3DES ciphers.


# cat /etc/nginx/conf.d/ssl.conf
Code:
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# plesk version
Code:
Product version: Plesk Onyx 17.5.3 Update #6
    Update date: 2017/05/31 06:05
     Build date: 2017/03/17 16:00
     OS version: Ubuntu 16.04
       Revision: 55d1b49a272f44666e1920eca8b6e4da449a38cd
   Architecture: 64-bit
Wrapper version: 1.2
 
Back
Top