@learning_curve
With respect to your statement
The present release of the Plesk Let's Encrypt Extension does offer the choice of RSA OR ECDSA with RSA being the default, whilst ECDSA requires a mod via panel.ini etc. So users do already have the choice as to which way they wish to proceed. Giving users a choice is a good thing (in our opinion) but in this case, you may disagree of course
I have to emphasize that I do not agree or disagree : the "freedom of choice" is valuable, but in every way this freedom should be limited to a range of settings that is always associated with some decent level of security - the minimum of the before mentioned range should be resulting in decent security for the entire Plesk instance.
Simply stated, Plesk (end-)users should only have the freedom allowed by a (secure) range that is configured by a well-seasoned sysadmin maintaining the Plesk instance.
In essence, the Plesk eco-environment allows any Plesk admin to set some security level with some mechanism - RSA or ECDSA.
In short, the Plesk eco-environment is
far away from allowing the valued "freedom of choice", given that
1 - for
Plesk admins, a choice
has to be made between
either RSA (default)
or ECDSA : a Plesk admin can use panel.ini - this is sufficient for selecting
one of both
2 - for
Plesk end-users, a choice
cannot be made between
either RSA (default)
or ECDSA Plesk (end-users) : no "switch" available through the Plesk Panel
and hence it is not a matter of agreeing or disagreeing : the current Plesk eco-environment is too limited with respect to certificate protocols (RSA/ECDSA) or security levels.
Given my response above, I can now easily respond to your statement
Working on what you have posted, would you support the Plesk mod that we have mentioned above, where BOTH RSA and ECDSA certificates could be provided and are then invoked via Plesk standard Templates? ..
by stating :
yes, please!
It will require a very simple set of adjustments in Plesk, amongst others being :
a) adding lines to the Nginx default config (as shipped with Plesk) - these lines can contain reference to ECDSA based certificates
b) adding config variables to panel.ini to set the
server-wide required security level - the Plesk admin can control
minimum security level, applying to both RSA as ECDSA
c) adding a "switch" box to Plesk Panel -
Plesk (end-)users can select the certificate of preference at a security level
greater then or equal to the server-wide security level
d) adding a
cipher suite that allows a sequence of ciphers that is aligned with both points b and c
and
please note that it does not make any sense to make the same adjustments on the Apache level - when talking about performance and security, one should stay away from the resource ineffective Apache and
simply let Nginx do the work : close external access to ports 7080 and 7081 (which are accessible by default) and add a low security level for SSL/TLS handshakes for any communication between Nginx and the (back-end) Apache server, in order to improve security and performance.
The latter note also makes clear why I had my (reasonable) doubts about any discussion with respect to "security" and "performance of security" - at this moment, it is often forgotten that we are talking about scenario's in which we have
either Apache
or Apache + Nginx, with both scenario's having the burden of the relatively ineffective Apache and the Nginx + Apache scenario also having the burden of open ports 7080 and 7081 : it
might make sense to (one the hand) improve security or (on the other hand) to improve performance of certificate related processes, but that would be the
wrong approach if security loopholes and resource inefficiency still remain in the Apache setup.
Hope that the above is some food for thought....... or just a blatant suggestion to Plesk Team to improve Plesk or the Plesk Let's Encrypt extension.
Regards...........