• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved plesk http2 ciphers

Which ssl.conf file are we talking about? /etc/nginx/conf.d/ssl.conf? One possible correct entry on an up-to-date OS could be:
Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
 
yes file /etc/nginx/conf.d/ssl.conf and i set this

Code: 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
It is up to you which ciphers you enable and which not. Some ciphers may be needed for old browsers (compatibility issues), but some may be weak and should not be used. If you follow the article you have linked, it is your decision. You cannot only put ciphers into the file, they must be preceded by a directive "ssl_ciphers", and you should also include the protocol definition directive as shown in the example above.
 
There is no "best". It depends on what you want to achieve. If you want old browsers to work with your server, you will need to include weak cipher algorithms. If you want a very secure system, you only include the latest, strongest - at the price that some browsers won't be able to connect. I am pretty sure that example I posted above is a balanced solution.
 
Nginx must be reloaded or restarted after the change. I recommend to first run
# nginx -t
to ensure that all configuration files are correct before a reload or restart is done.
 
Hi camaran,

camaran said:
after i edited the file i must
nginx -s reload
or i must donw other action?
Click to expand...

Plesk offers quite a lot of CLI commands as well, where additional / optional settings can be configured WITHOUT the need of manual edits ( which are often overwritten by updates/upgrades/patches! ) in your configuration files.

Pls. read for example:


AND


... where you are able to find as well the command:
Code: 
plesk sbin sslmng
The "sslmng" utility has several options, which you are as well able to list with the command:
Code: 
plesk sbin sslmng --help
 
ok if now use
Code: 
plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES" --protocols="TLSv1 TLSv1.1 TLSv1.2"
i have errore -bash: !aNULL: event not found
 
Hi camaran,

you are MIXING several ciphers suites recommendations now, which will lead to errors/issues/problems. Pls. stick to your preferred ciphers suites, which you choosed from


"Intermediate" would be:
Code: 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Edit:
Pls. see my previous eamples here: => #2 ( and note the difference usage ' instead of " )
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

E
Resolved HTTP2 active... but not use by website
Replies
5
Views
1K
Erwan
E
Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
T
ISSUE - Nginx config generation failure and http2 directive implementation failure
Replies
14
Views
4K
Bitpalast
Bitpalast
B
Input How to use Multiple IP's for 1 Domain [IMPORTANT FEATURE THAT'S MISSING NATIVELY]
Replies
1
Views
4K
scsa20
scsa20
TimReeves
Issue drwebd now fails to start on Debian 12
Replies
7
Views
2K
TimReeves
TimReeves
Back
Top