• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How to disable TLS 1.0, TLS 1.1 and leave only TLS 1.2 activated

daanse

Regular Pleskian
Hi,

I have Debian 8.7, Plesk Onyx without Nginx and want to disable TLS 1.0, TLS 1.1 and leave only TLS 1.2 activated. Mainly to have more security regarding Mailservers.
Would there be any disadvantages?

I searched a lot and cant find a smooth solution.
 
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2

# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"

# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2

-ssl-protocols <protocols> Sets up SSL/TLS protocols to all services.
 
Hi @IgorG ,
thank you.

I also inserted this into "/etc/postfix/main.cf"

Code:
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
run this Code:
Code:
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_2048.pem -2 2048
and reloaded Postfix

but it seems not regonizing Key Pair.

is there something i missing?

Thank you for your help!
 
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2

# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"

# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2


can you please add revert back command ie all TLSv1 TLSV1.1 and TLS1.2 enabled
Thanks
 
can you please add revert back command ie all TLSv1 TLSV1.1 and TLS1.2 enabled
Thanks
Hi,
i think you can find those Settings with:
Code:
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "ciphers" {} \;
Here it will show the File where Cipher and Protocols are changed.
with
Code:
nano /etc/apache2/mods-available/ssl.conf
which should contain the changes you can add TLSv1 TLSv1.1 TLSv1.2
again.
 
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2

# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"

# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols: TLSv1.2

Hi @IgorG . I am getting an error when running that command:

Code:
# /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2"
[2018-09-25 10:05:15] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/sslmng' '--protocols' 'TLSv1.2'] with exit code [1]
sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.2
ERROR:No supported protocols supplied

More information:

Code:
# /usr/local/psa/bin/server_pref -s | grep ssl-protocols
ssl-protocols:    TLSv1 TLSv1.1 TLSv1.2

Code:
# plesk -v
Product version: 12.5.30 Update #76
    Update date: 2018/05/07 04:11
     Build date: 2016/06/08 10:00
     OS version: CentOS 5.11
       Revision: 344620
   Architecture: 64-bit
Wrapper version: 1.2

How to solve it and have only TLSv1.2 activated?
 
Note: TLSv1 can only be disabled for Apache versions equal or higher than 2.2.23.
In this case try to use

# plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"
 
This is not going to be possible for you. Based on your plesk -v output, you're running CentOS 5 which is based on an OpenSSL version which is incapable of TLS 1.1/1.2. You'll need to upgrade to a later version of the OS unless you want to risk overwriting the OS version of OpenSSL, but anything with a dependency on the old version may break, so could turn into a nightmare.
 
@IgorG

I have a question about that for plesk obsidian will the old TLS version be automatically deactivated by an update in the future if they have expired or are no longer recommended?
 
@IgorG

I have a question about that for plesk obsidian will the old TLS version be automatically deactivated by an update in the future if they have expired or are no longer recommended?
I have same question. Why not disable dangerous TLS versions 1.0 and 1.1 by default?
 
I have same question. Why not disable dangerous TLS versions 1.0 and 1.1 by default?
Agreed, this is 2021 and I was surprised to find out that Plesk didn't disable it by default. This is a major security risk that they didn't bother patching up. Makes you wonder what else they're overlooking, security wise...
 
... This is a major security risk ...
Oh come on, have you ever seen any successful attacks due to TLS 1.0 encryption? For decades, most websites have not used SSL at all, and attackers don't attack through SSL protocols anyway but simply attack endpoints. Caling TLS 1.0 a "major" risk is more than exaggeration. It is a very low profile, tiny risk - if at all. You also have to consider that TLS 1.0 is only used if an ancient browser connects. All newer browsers have dropped support of it for years, so it's really almost never used as browsers don't connect with it anyway. If you don't want to have it for compatibility reasons, drop it, but calling it a "major" risk is beyond reason.
 
Oh come on, have you ever seen any successful attacks due to TLS 1.0 encryption? For decades, most websites have not used SSL at all, and attackers don't attack through SSL protocols anyway but simply attack endpoints. Caling TLS 1.0 a "major" risk is more than exaggeration. It is a very low profile, tiny risk - if at all. You also have to consider that TLS 1.0 is only used if an ancient browser connects. All newer browsers have dropped support of it for years, so it's really almost never used as browsers don't connect with it anyway. If you don't want to have it for compatibility reasons, drop it, but calling it a "major" risk is beyond reason.
Thanks for clarifying!
 
Back
Top