Resolved Enabling TLS 1.2 and 1.3 - Not working

[octet]

Hi guys,

Trying to remove the support for TLS 1.0 and 1.1 and enable only 1.2 and 1.3.

So far I did the following:

[root@ufo cache]# plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
SUCCESS: Server preferences are successfully updated
[root@ufo cache]# /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'
SUCCESS: Server preferences are successfully updated
[root@ufo cache]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@ufo cache]# service nginx restart
Restarting nginx (via systemctl):                          [  OK  ]

Checking on the domain level:

[root@ufo cache]# nmap --script ssl-enum-ciphers -p 443 www.domain.com | grep -E "TLSv|SSLv"
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:

Server level seems fine:

[root@ufo cache]# /usr/local/psa/bin/server_pref -s | grep ssl-*
ssl-protocols:    TLSv1.2 TLSv1.3
ssl-ciphers:    ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
ssl-cipher-server-order:    true
[root@ufo cache]#

SSL It configuration is set on Modern:

What am I doing wrong?

 

[Brujo]

which OS du you have and whats the output of /etc/nginx/conf.d/ssl.conf

 

[octet]

Centos

[root@ufo cache]# cat /etc/nginx/conf.d/ssl.conf
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

 

[octet]

Thanks for the tip, I've modified the ssl.conf and restarted nginx, now I get:

internet.nl says:

Should I remove some of the Ciphers?

 

[Brujo]

an example looks like:

ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;

 

[octet]

Awesome, thank you Brujo, getting A grade on SSL Labs now.

 

[Brujo]

great, take into consider to mark the thread as solved

 

[Martin.H]

an example looks like:

ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;

You might wanna tell me (I'm on Debian btw) this not the default configuration is. Seems for me much better then the default one.
I personally prefer ECDSA over RSA but thats also possible with your config.
Would vote for your config to be default!

 

[Brujo]

Yes, in fact this is not the standard configuration, rather a general configuration for normal web sites/servers. Well, the settings for TLS are very individual and are designed to suit the needs of the user to get the best possible result. In my opinion, the way Plesk currently does it, based on Mozilla, is basically good for the majority of Plesk users. Since there are always new features, you can alternatively use the Mozilla Generator.

 

[themew]

How are you enabling TLS 1.3 in Centos 7 which uses openSSL 1.0.2 or are you using Centos 8? Does Obsidian change server config to permit TLS 1.3 when using Centos 7?

 

[learning_curve]

How are you enabling TLS 1.3 in Centos 7 which uses openSSL 1.0.2 or are you using Centos 8? Does Obsidian change server config to permit TLS 1.3 when using Centos 7?

We don't use Centos, but pretty sure that the answer to that ^^ question is here: Can TLS 1.3 be enabled in Plesk?

Edit: Plus this old but relvant post (post #17) Resolved - Plesk 18.0.20 but no TLS 1.3?