Facebook
Twitter
Hi, what's ciphers suggest for use with http2? i see Security/Server Side TLS - MozillaWiki this list for Intermediate configurations.
For change it i edited ssl.conf file
For change it i edited ssl.conf file
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Resolved plesk http2 ciphers
- Thread starter nMLxTMJTZ
- Start date
Which ssl.conf file are we talking about? /etc/nginx/conf.d/ssl.conf? One possible correct entry on an up-to-date OS could be:
Code:
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;yes file /etc/nginx/conf.d/ssl.conf and i set this
Code:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSSIt is up to you which ciphers you enable and which not. Some ciphers may be needed for old browsers (compatibility issues), but some may be weak and should not be used. If you follow the article you have linked, it is your decision. You cannot only put ciphers into the file, they must be preceded by a directive "ssl_ciphers", and you should also include the protocol definition directive as shown in the example above.
There is no "best". It depends on what you want to achieve. If you want old browsers to work with your server, you will need to include weak cipher algorithms. If you want a very secure system, you only include the latest, strongest - at the price that some browsers won't be able to connect. I am pretty sure that example I posted above is a balanced solution.
U
UFHH01
Guest
Hi camaran,
Plesk offers quite a lot of CLI commands as well, where additional / optional settings can be configured WITHOUT the need of manual edits ( which are often overwritten by updates/upgrades/patches! ) in your configuration files.
Pls. read for example:
... where you are able to find as well the command:
The "sslmng" utility has several options, which you are as well able to list with the command:
Plesk offers quite a lot of CLI commands as well, where additional / optional settings can be configured WITHOUT the need of manual edits ( which are often overwritten by updates/upgrades/patches! ) in your configuration files.
Pls. read for example:
AND
... where you are able to find as well the command:
Code:
plesk sbin sslmng
Code:
plesk sbin sslmng --helpok if now use
i have errore -bash: !aNULL: event not found
Code:
plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES" --protocols="TLSv1 TLSv1.1 TLSv1.2"
U
UFHH01
Guest
Hi camaran,
you are MIXING several ciphers suites recommendations now, which will lead to errors/issues/problems. Pls. stick to your preferred ciphers suites, which you choosed from
Edit:
Pls. see my previous eamples here: => #2 ( and note the difference usage ' instead of " )
you are MIXING several ciphers suites recommendations now, which will lead to errors/issues/problems. Pls. stick to your preferred ciphers suites, which you choosed from
"Intermediate" would be:
Code:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSSEdit:
Pls. see my previous eamples here: => #2 ( and note the difference usage ' instead of " )
Last edited by a moderator:
