• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Enabling TLS 1.2 and 1.3 - Not working

octet

Basic Pleskian
Hi guys,

Trying to remove the support for TLS 1.0 and 1.1 and enable only 1.2 and 1.3.

So far I did the following:

Code:
[root@ufo cache]# plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
SUCCESS: Server preferences are successfully updated
[root@ufo cache]# /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'
SUCCESS: Server preferences are successfully updated
[root@ufo cache]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@ufo cache]# service nginx restart
Restarting nginx (via systemctl):                          [  OK  ]

Checking on the domain level:

Code:
[root@ufo cache]# nmap --script ssl-enum-ciphers -p 443 www.domain.com | grep -E "TLSv|SSLv"
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:

Server level seems fine:

Code:
[root@ufo cache]# /usr/local/psa/bin/server_pref -s | grep ssl-*
ssl-protocols:    TLSv1.2 TLSv1.3
ssl-ciphers:    ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
ssl-cipher-server-order:    true
[root@ufo cache]#

SSL It configuration is set on Modern:

2020-02-02_16-04-50.jpeg


What am I doing wrong?
 
which OS du you have and whats the output of /etc/nginx/conf.d/ssl.conf
 
Centos

Code:
[root@ufo cache]# cat /etc/nginx/conf.d/ssl.conf
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
 
Thanks for the tip, I've modified the ssl.conf and restarted nginx, now I get:

2020-02-02_17-26-48.jpeg


internet.nl says:

2020-02-02_17-29-05.jpeg


Should I remove some of the Ciphers?
 
an example looks like:
Code:
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
 
an example looks like:
Code:
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-521:P-384:P-256;

You might wanna tell me (I'm on Debian btw) this not the default configuration is. Seems for me much better then the default one.
I personally prefer ECDSA over RSA but thats also possible with your config.
Would vote for your config to be default!
 
Yes, in fact this is not the standard configuration, rather a general configuration for normal web sites/servers. Well, the settings for TLS are very individual and are designed to suit the needs of the user to get the best possible result. In my opinion, the way Plesk currently does it, based on Mozilla, is basically good for the majority of Plesk users. Since there are always new features, you can alternatively use the Mozilla Generator.
 
How are you enabling TLS 1.3 in Centos 7 which uses openSSL 1.0.2 or are you using Centos 8? Does Obsidian change server config to permit TLS 1.3 when using Centos 7?
 
Back
Top