Question changed nginx ssl.conf

[moswak]

Some time ago we set up /etc/nginx/conf.d/ssl.conf on all servers

----
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
----

Now we notice that Plesk has changed this for a while

----
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
----

apart from the automatic plesk update, nothing was changed
How can that be ?

 

[learning_curve]

Some time ago we set up /etc/nginx/conf.d/ssl.conf on all servers

----
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
----

Now we notice that Plesk has changed this for a while

----
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhkey.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
----

apart from the automatic plesk update, nothing was changed
How can that be ?

Plesk added one extra line to the existing /etc/nginx/conf.d/ssl.conf file: proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
As part of the upgrade to Plesk Obsidian 18.0.38 (think so anyway, but check your backups / file dates etc) You can see this, in your own post above.

You can control some of the important content of your own /etc/nginx/conf.d/ssl.conf file during upgrades (see all of the existing Plesk articles / documents etc re: ssl_protocols | ssl_min_protocol | plesk sbin sslmng ) so FWIW in our case (where we do) nothing else was altered & only that extra line was addded, which, is what we expected. There's nothing to prevent you from revising that additional line (if you want to) e.g. Say you don't want TLSv1 TLSv1.1 protocols etc Any other changes made, will be relate back to what upgrade control levels you've setup on your /etc/nginx/conf.d/ssl.conf file etc so they will need further work.

Edit: Here's one example: How to enable/disable TLS protocol versions in Plesk for Linux

 

[moswak]

It was desired that the tls1 and 1.1 e-mail services remain activated, which is why it is on the server
server_pref -u -ssl-protocols 'TLSv1 TLSv1.1 TLSv1.2'
set.
for nginx we had edited this extra so that TLSv1 TLSv1.1 are deactivated.
until the update to 18.0.38 that was always retained.
Ok then I know and we have to change it again afterwards with nginx.