Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Resolved How to disable TLS 1.0, TLS 1.1 and leave only TLS 1.2 activated
- Thread starter daanse
- Start date
Hi @IgorG ,
thank you.
I also inserted this into "/etc/postfix/main.cf"
run this Code:
and reloaded Postfix
but it seems not regonizing Key Pair.
is there something i missing?
Thank you for your help!
thank you.
I also inserted this into "/etc/postfix/main.cf"
Code:
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
Code:
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_2048.pem -2 2048but it seems not regonizing Key Pair.
is there something i missing?
Thank you for your help!
Hi,
i think you can find those Settings with:
Code:
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "ciphers" {} \;with
Code:
nano /etc/apache2/mods-available/ssl.confagain.
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1 TLSv1.1 TLSv1.2"
Thank you command work perfect
Last edited:
Hi @IgorG . I am getting an error when running that command:
Code:
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"
[2018-09-25 10:05:15] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/sslmng' '--protocols' 'TLSv1.2'] with exit code [1]
sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.2
ERROR:No supported protocols suppliedMore information:
Code:
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
Code:
# plesk -v
Product version: 12.5.30 Update #76
Update date: 2018/05/07 04:11
Build date: 2016/06/08 10:00
OS version: CentOS 5.11
Revision: 344620
Architecture: 64-bit
Wrapper version: 1.2How to solve it and have only TLSv1.2 activated?
This is not going to be possible for you. Based on your plesk -v output, you're running CentOS 5 which is based on an OpenSSL version which is incapable of TLS 1.1/1.2. You'll need to upgrade to a later version of the OS unless you want to risk overwriting the OS version of OpenSSL, but anything with a dependency on the old version may break, so could turn into a nightmare.
I have same question. Why not disable dangerous TLS versions 1.0 and 1.1 by default?
Agreed, this is 2021 and I was surprised to find out that Plesk didn't disable it by default. This is a major security risk that they didn't bother patching up. Makes you wonder what else they're overlooking, security wise...
Oh come on, have you ever seen any successful attacks due to TLS 1.0 encryption? For decades, most websites have not used SSL at all, and attackers don't attack through SSL protocols anyway but simply attack endpoints. Caling TLS 1.0 a "major" risk is more than exaggeration. It is a very low profile, tiny risk - if at all. You also have to consider that TLS 1.0 is only used if an ancient browser connects. All newer browsers have dropped support of it for years, so it's really almost never used as browsers don't connect with it anyway. If you don't want to have it for compatibility reasons, drop it, but calling it a "major" risk is beyond reason.
Thanks for clarifying!
