-ssl-protocols <protocols> Sets up SSL/TLS protocols to all services.
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_2048.pem -2 2048
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2
Hi,can you please add revert back command ie all TLSv1 TLSV1.1 and TLS1.2 enabled
Thanks
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "ciphers" {} \;
nano /etc/apache2/mods-available/ssl.conf
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1 TLSv1.1 TLSv1.2"can you please add revert back command ie all TLSv1 TLSV1.1 and TLS1.2 enabled
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1 TLSv1.1 TLSv1.2"
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"
[2018-09-25 10:05:15] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/sslmng' '--protocols' 'TLSv1.2'] with exit code [1]
sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.2
ERROR:No supported protocols supplied
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
# plesk -v
Product version: 12.5.30 Update #76
Update date: 2018/05/07 04:11
Build date: 2016/06/08 10:00
OS version: CentOS 5.11
Revision: 344620
Architecture: 64-bit
Wrapper version: 1.2
Note: TLSv1 can only be disabled for Apache versions equal or higher than 2.2.23.
In this case try to use
# plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"
I have same question. Why not disable dangerous TLS versions 1.0 and 1.1 by default?@IgorG
I have a question about that for plesk obsidian will the old TLS version be automatically deactivated by an update in the future if they have expired or are no longer recommended?
Agreed, this is 2021 and I was surprised to find out that Plesk didn't disable it by default. This is a major security risk that they didn't bother patching up. Makes you wonder what else they're overlooking, security wise...I have same question. Why not disable dangerous TLS versions 1.0 and 1.1 by default?
Oh come on, have you ever seen any successful attacks due to TLS 1.0 encryption? For decades, most websites have not used SSL at all, and attackers don't attack through SSL protocols anyway but simply attack endpoints. Caling TLS 1.0 a "major" risk is more than exaggeration. It is a very low profile, tiny risk - if at all. You also have to consider that TLS 1.0 is only used if an ancient browser connects. All newer browsers have dropped support of it for years, so it's really almost never used as browsers don't connect with it anyway. If you don't want to have it for compatibility reasons, drop it, but calling it a "major" risk is beyond reason.... This is a major security risk ...
Thanks for clarifying!Oh come on, have you ever seen any successful attacks due to TLS 1.0 encryption? For decades, most websites have not used SSL at all, and attackers don't attack through SSL protocols anyway but simply attack endpoints. Caling TLS 1.0 a "major" risk is more than exaggeration. It is a very low profile, tiny risk - if at all. You also have to consider that TLS 1.0 is only used if an ancient browser connects. All newer browsers have dropped support of it for years, so it's really almost never used as browsers don't connect with it anyway. If you don't want to have it for compatibility reasons, drop it, but calling it a "major" risk is beyond reason.