Question OpenSSL 1.1.1 for TLS 1.3 on Plesk Obsidian (CloudLinux 7.7)... when?

[MicheleB]

Hello,
I'd like to know when will be available the last version of OpenSSL 1.1.1 on Plesk Obsidian (I've the old 1.0.2k-fips 26 Jan 2017 on my CloudLinux 7.7).

Now from 31th January all the websites hosted on the my cloud server are receiving on ssllabs.com a downgrade from "A+" to "B" because is missing the TLS 1.3 protocol.

I know that is possibile to activate TLS 1.3 also without opensssl 1.1.1 using "nginx only" but I need to have the Apache support:

Does Plesk support TLS 1.3 on Linux servers?

Applicable to: Plesk for Linux Question Does Plesk service (sw-cp-server) support the version 1.3 of the TLS protocol on Linux server? Answer The support of TLSv1.3 has been implemented in Ples...

support.plesk.com

Someone from Plesk Staff could give me more information about OpenSSL 1.1.1 which is required for TLSv1.3 for Apache?
Thanks.

 

[mizar]

Hello,

I know that is possibile to activate TLS 1.3 also without opensssl 1.1.1 using "nginx only" but I need to have the Apache support

It doesn't applicable only for "nginx only", but also should work in "nginx behind apache".

Someone from Plesk Staff could give me more information about OpenSSL 1.1.1 which is required for TLSv1.3 for Apache?

We are not provide own apache builds, but use provided by OS vendor. So you need to ask this question to CloudLinux.

Thanks,

 

[MicheleB]

It doesn't applicable only for "nginx only", but also should work in "nginx behind apache".

Ok, but if I read correctly the above yours article "Can TLS 1.3 be enabled in Plesk?", "nginx behind apache" is only possible with Ubuntu 18.04 and Debian 9 because are the only ones who have OpenSSL version 1.1.1... is it correct?

We are not provide own apache builds, but use provided by OS vendor. So you need to ask this question to CloudLinux.
Thanks,

I asked to CloudLinux but they said me is necessary to wait that RedHat updates it in their repositories for CentOS7 but they don't know when and if will happen.
Sometimes I curse the day I followed my hosting provider's advice to switch from Debian (free) to CloudLinux (payment)...

 

[mizar]

Hello,

Ok, but if I read correctly the above yours article "Can TLS 1.3 be enabled in Plesk?", "nginx behind apache" is only possible with Ubuntu 18.04 and Debian 9 because are the only ones who have OpenSSL version 1.1.1... is it correct?

Not exactly: in Plesk Obsidian, nginx for hosting compiled support TLS 1.3 on all supported oses since Aug 2019:

# plesk version
Product version: Plesk Obsidian 18.0.24.0
     OS version: CentOS 7.7.1908 x86_64
     Build date: 2020/02/07 23:00
       Revision: b3f863386a5e614fb2ea2c2cb5c4be91049d94a3
# nginx -V
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled

but nginx for Plesk itself support TLS1.3 only on modern Oses (Debian9, Ubuntu18.04).

I asked to CloudLinux but they said me is necessary to wait that RedHat updates it in their repositories for CentOS7 but they don't know when and if will happen.
Sometimes I curse the day I followed my hosting provider's advice to switch from Debian (free) to CloudLinux (payment)...

It's sad, but even on Debian9 and Ubuntu18.04 Apache version is too low to have support of TLS1.3

 

[Brujo]

Now from 31th January all the websites hosted on the my cloud server are receiving on ssllabs.com a downgrade from "A+" to "B" because is missing the TLS 1.3 protocol.

afaik it is not of missing TLS1.3 insteed do to the fact that you have still TLS 1.0 & 1.1 enabled. So within enabled TLS 1.2 and the right chiper settings you will be fine for some time
please see: SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols | Qualys Blog

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

 

[Rar9]

any update for this topic to get a+ rating again?

If tsl1.0 is turned off for Plesk Obsidian 18.0.27 will this still affect Plesk Premium Antivirus?
If so what free alternative is there?

 

[2dareis2do]

It's sad, but even on Debian9 and Ubuntu18.04 Apache version is too low to have support of TLS1.3

I would like to use python 3 script (3.8 or later) that also has requirement for OpenSSL 1.1 or later. What are my options along side running plesk Version 18.0.59 Update #2, last updated on Mar 5, 2024 12:06 PM?

 

[2dareis2do]

Just to follow up on this the issue I was having is that python app expecting OpenSSL 1.1 to be installed. I was able to get around this by installing OpenSSL 1.1 e.g. yum install openssl11 openssl11-devel and then compile python to point at this version when compiling. I was then able to run python app without issue.

The way to get the correct flags passed to the compiler and linker is to set CFLAGS and LDFLAGS as environmental variables like so

export CFLAGS="$CFLAGS $(pkg-config --cflags openssl11)"
export LDFLAGS="$LDFLAGS $(pkg-config --libs openssl11)"

GNU make

GNU make

www.gnu.org

GNU make

GNU make

www.gnu.org

On CentOS, how do I build Python 3.9 from source while incorporating my openssl module?

I'm trying to build Python 3.9.1 with SSL support on CentOS 7. [myuser@server Python-3.9.1]$ which openssl /usr/local/bin/openssl [myuser@server Python-3.9.1]$ openssl version OpenSSL 1.1.1g 21 Ap...

stackoverflow.com

afaict, Plesk running on centos 7 still has dependency on OpenSSL 1.0.2