Please tell me in details why current sw-cp-server realization is not good for you? Is this not sufficiently protected or secure for you or what? Why is TLSv1.3 compliance so critical for you?
^^ This is a question very similar to the one below that was posted in another thread earlier:
...BTW, could you please clarify why are you so worried about openssl for a sw-cp-server, while other services, like sshd, Apache, etc. work the same way with vendor's openssl version and you do not care?
And which was answered by another forum member:
Apache is not connected to the outside world on a system that has Nginx running. The Plesk interface is communicated to our clients and port 8443 is by now a "well-known port" and it always involves a login. SSH is not used by clients. I would rather do a virgin installation than a distupgrade. That's the reason I still have my CentOS 5.11 version. The OpenSSL-version on sw-cp-server doesn't depend on the client's OS, but on the OS on which you compiled it. You are the only supplier of a compiled sw-cp-serverd. How is it possible that I have a more modern sw-cp-serverd on end-of-life CentOS 5.11 than the people running the latest CentOS 7? You already answered that, really. It still would not stop you from supplying a more modern one for CentOS 6 & 7 and Ubuntu 12, 14. BTW.... All this is not of such importance to me as it may seem. It started with helping out
@learning_curve and his need to apply the same tweaks on his panel as he had on his normal nginx. I had no problem applying those changes while he did. Only after many back-and-forths this openssl-version of sw-cp-serverd turned out to be the culprit. I wasn't expecting that.
Our own answer is yes it's protected and secure we do acknowledge and agree. However, as you may glean from the above answer / thread details, if you have a setup similiar to ours (signature) the protection level that's in place when using the default Plesk sw-cp-server, is behind the rest of our Plesk setup & this will increase once we're using 17.8.11
It's possible to modify many things within Plesk Onyx 17.5.3 in order to improve things. We have done so and you
@IgorG have helped us frequently to do this! We also updated our default sw-cp-server too, but only with great help from forum member
@Varrenlad in
THIS #16 post and yes it works perfectly after this upgrade
So with our current setup, we don't plan to make further changes for a while. This is because TLSv1.3 isn't definitively finished yet, although it's much, much closer now to being at general release status. There's a great danger of doing lot's of futher modification work twice at this point in time, which is why were waiting for TLSv1.3 / openssl / etc etc to all be formally relased, which we
think might be in May.
We're happy right where we are currently with 17.5.3, but when running the whole 17.5.3 > 17.8.11 upgrade (when 17.8.11 reaches General Release status) we really want to do that just in just one project (which includes running your helpful bash script too after that's been updated to 17.8.11 as well) if at all possible! Not one project then lots of plus / plus / plus / plus / plus minor projects etc
TLSv1.3 is perhaps more important than many often realise. For example, we only use TLSv1.2 (and TLSv1.3 draft spec) currently, but almost without choice. This is because several online card processing API's that are used on domains that we host, will no longer accept anything less (including TLSv1.1). The same status change will happen again once TLSv1.3 becomes available, so that's one of the reasons why wer'e looking ahead to a smooth,
all-inclusive upgrade to 17.8.11
I would like to say that at the moment we do not know of any security problems with the current implementation of sw-cp-server and therefore updating it for TLSv1.3 compliance is not a priority for developers. But we keep this task in mind, and someday it will reach its turn.
Yes fully understand this, but reading back through the above, it's not the same level on all setups (and it could easily be) Compared to the work involved in making 15.8.11 consistent across all setups, we are thinking (guessing) that this is much less work by comparison...