Resolved PPP-44542 >> Host-Domain:8443 TLSv1.2 Obsidian / Host-Domain:8443 TLSv1.3 Onyx 17.8.11

[learning_curve]

As per the thread title really... Our question is, why is this situation present in a new RTM Plesk release? Is it just because it's only at Early Adopter status curently? That would be fair and make sense @Anthony maybe you could advise on the reasons for this? An associated question would be; will sw-cp-server therefore be re-compliled and run TLSv1.3 by default before Obsidian is provided at General Release status? That would be nice to hear.

One of the things that Obsidian has been promoted for, is fully supporting TLSv1.3, which it now does, apart from... the actual Plesk panel itself! It does seem bizzare, that if we were to upgrade to Obsidian now, our Host-Domain:8443 would technically be less secure (TLSv1.2 v TLSv1.3) than it is now on Onyx 17.8.11?

FWIW We ran the Obsidian upgrade process, which did run very smoothly and with no problems for us. Once on Obsidian everything (on our specific setup anyway) appeared to work very well during the short time that we ran it. After running many varied checks & tests, we then reverted back to Onyx 17.8.11 via server snapshot. We can now work through the questions that were raised, but at a nice leisurely pace before we upgrade to Obsidian for real.

The OpenSSL version that the Obsidian nginx package has been compliled with is the reason for TLSv1.2 by default (we think!) but here are the two different sw-cp-server Nginx details for comparison: First is our current Onyx 17.8.11

Plesk Onyx Version 17.8.11 Update #68
~# sw-cp-serverd -V
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments:
--prefix=/usr/share
--sbin-path=/usr/sbin/sw-cp-serverd
--conf-path=/etc/sw-cp-server/config
--error-log-path=/var/log/sw-cp-server/error_log
--http-log-path=/var/log/sw-cp-server/access.log
--lock-path=/var/lock/sw-cp-server.lock
--pid-path=/run/sw-cp-server.pid
--http-client-body-temp-path=/var/lib/sw-cp-server/body
--http-fastcgi-temp-path=/var/lib/sw-cp-server/fastcgi
--http-proxy-temp-path=/var/lib/sw-cp-server/proxy
--http-scgi-temp-path=/var/lib/sw-cp-server/scgi
--http-uwsgi-temp-path=/var/lib/sw-cp-server/uwsgi
--user=sw-cp-server --group=sw-cp-server
--with-ipv6
--with-file-aio
--with-http_ssl_module
--with-http_v2_module
--with-http_gzip_static_module
--with-http_auth_request_module
--add-module=/home/builder/buildbot/microupdate/PLESK_17_8/build/unix/plesk/packages/sw-cp-server/work/lua-nginx-module-0.10.13
--add-module=/home/builder/buildbot/microupdate/PLESK_17_8/build/unix/plesk/packages/sw-cp-server/work/ngx_devel_kit-0.3.0
~#

and here's the Obsidian upgrade (complete with an old OpenSSL version...)

Plesk Obsidian RTM 18.019.2

~# sw-cp-serverd -V
nginx version: nginx/1.16.1
built with OpenSSL 1.1.0g  2 Nov 2017 (running with OpenSSL 1.1.1  11 Sep 2018)
TLS SNI support enabled
configure arguments:
--prefix=/usr/share
--sbin-path=/usr/sbin/sw-cp-serverd
--conf-path=/etc/sw-cp-server/config
--error-log-path=/var/log/sw-cp-server/error_log
--http-log-path=/var/log/sw-cp-server/access.log
--lock-path=/var/lock/sw-cp-server.lock
--pid-path=/run/sw-cp-server.pid
--http-client-body-temp-path=/var/lib/sw-cp-server/body
--http-fastcgi-temp-path=/var/lib/sw-cp-server/fastcgi
--http-proxy-temp-path=/var/lib/sw-cp-server/proxy
--http-scgi-temp-path=/var/lib/sw-cp-server/scgi
--http-uwsgi-temp-path=/var/lib/sw-cp-server/uwsgi
--user=sw-cp-server --group=sw-cp-server
--with-file-aio
--with-http_ssl_module
--with-http_v2_module
--with-http_gzip_static_module
--with-http_auth_request_module
--add-module=ngx_devel_kit
--add-module=lua-nginx-module
~#

 

[learning_curve]

Threads like this one: Issue - MAJOR; clients exceed sub notification has other clients info are a lot more important, agreed. However, this one is security related too, although at present, it feels, a bit like the observation made by the child in the "Emperor's New Clothes" story... Hopefully an answer to both questions will be posted later today?

 

[mizar]

Hello,

Although we are not claim that we support TLS v 1.3 for sw-cp-server, this issue has been registered as PPP-44542, and planned to fix with nearest future. Thanks for reporting!

 

[learning_curve]

Hi @mizar Thanks for the reply. Good that it's been recognised as an issue (PPP-44542) although the "nearest future" is still a bit vague to be fair If the final Plesk decision is that PPP-44542 WILL be solved before the General Release of Obsidian at the very latest, then I'm pretty sure, that's what everyone intending to use Obsidian would really love to hear. Currently, it's enough of an issue to disuade people from upgrading to Obsidian, because it's definately a backward move from Onyx for anyone using an OS that already supports OpenSSL 1.1.1 However, some Plesk users wouldn't consider the upgrade to Obsidian until it has reached General Release status anyway so, the disuasion effect on the number of users, is probably smaller at this stage, than otherwise might be the case. Fingers crossed that PPP-44542 is solved in the very 'close' future

 

[learning_curve]

Just a few relevant footnotes on this particular subject, which doesn't seem to be one of Plesk's current "favourites"

First, this Plesk Page: Can TLS 1.3 be enabled in Plesk? which is a little mis-directional (maybe unintentional but...)

TLSv1.3 support was implemented in the Plesk Obsidian 18.0 version for customers’ websites that are served by nginx and accessed by HTTPS. And for Plesk interface's web server (sic)

well.... not quite... and then there's this section further down the page

Plesk Onyx does not support TLS version 1.3, and its support currently is not planned due to low demand and low amount of platform which supports this feature. At the moment, only Ubuntu 18.04, by default, has an OpenSSL version 1.1.1 which is required for TLSv1.3 (sic)

The "low amount of platform which supports this feature" (sic)? Many users unoficially upgraded their OS support anyway but RHEL Linux 8 officially supported it way back in May, whilst CentOS 8 and Debian Buster are both released and both officially support it... so perhaps... Plesk could... a) Correct and update that ^^ page b) Prioritise PPP-44542 in supporting TLSv1.3 on the Obsidian sw-cp-server well in advance of the 'General Release" official release date. Makes sense to us!

Meantime, if you run Plesk Onyx on Ubuntu 18.04 (as we do) and you've changed your SSL Protocols & Ciphers to suit, then it DOES suppport TLSv1.3 on both "...websites that are served by nginx and accessed by HTTPS. And for Plesk interface's web server (sic)" aka sw-cp-server. We currently use TLSv1.3 on both, everyday. Why not? It's completely up to date & great!

NB: For those that maybe unaware of the somewhat 'chequered history' of TLSv1.3 support on Plesk Onyx 17.8.11 / Ubuntu 18.04 plus the required SSL Protocols & Ciphers (off by default / on by default, due to combined Nginx and Plesk bugs / off by default again - bugs fixed / on by default again - due to the upgrade to Nginx 1.16.1) all whilst being 'unofffocally supported' / very limited correspondence etc You'll be glad this isn't going to happen again with Obsidian. Famous last words?

 

[Anthony]

@learning_curve

a) Correct and update that ^^ page b) Prioritise PPP-44542 in supporting TLSv1.3 on the Obsidian sw-cp-server well in advance of the 'General Release" official release date. Makes sense to us!

Thank you for the report. We will correct our KB article. We have plans to officially support TLS 1.3 for sw-cp-server in Obsidian, but for now, it's officially NOT supported in Obsidian nor in Onyx (not enabled by default).

RHEL Linux 8 officially supported it way back in May, whilst CentOS 8 and Debian Buster are both released and both officially support it

Plesk is not yet officially supports Centos 8/RHEL 8 and Debian Buster, but we are working on it. I agree that we need to support TLS 1.3 for sw-cp-server when mentioned OSes become available for installation with Obsidian. We have it in plans, just a bit of patience.

 

[learning_curve]

....but for now, it's officially NOT supported in Obsidian nor in Onyx (not enabled by default)

This update is much appreciated @Anthony we're sure many other Plesk users will agree

It's not important now, but for the record, If you were runinng Obuntu 18.04 LTS, already had the correct protocols and ciphers specified within all the relevant ssl.conf files and then you upgraded Plesk Onyx to release #66, TLSv1.3 was indeed, enabled 'by default' on both of the webservers as they were upgraded to nginx 1.16.1 at the same time. We fell into that category, so there was absolutely no complaints from us as we stated here. Other Plesk users' experiences and their setups will vary, so in those cases, you're right, 'by default' may not have applied.