Question Recompile or update openssl for tls1.3

[Dukemaster]

Hi at all,
three weeks ago openssl 1.1.1 was released. The older and actual 1.1.0 versions will be supported only until next year (one year).
Last weekend I reintialized server to Ubuntu 18.04.1 + Plesk 17.8.11 + OpenSSL 1.1.0g. (providers package sources)
In order to use TLS1.3 again I have to recompile OpenSSL with TLS1.3 support or to upgrade to 1.1.1.
Already tried to update openssl on monday. Worked fine by this tutorial, in the end the installation I realized that it seemed to be useable, because of the wrong installation paths/directories related to Plesk's structure.
I suppose it must be similar to the installation of openssl draft18, described by @UFHH01 in his pagespeed tutorial:

cd /usr/share
git clone https://github.com/openssl/openssl.git
cd openssl
git checkout tls1.3-draft-18

./config shared enable-tls1_3 --prefix=/usr/share/openssl --openssldir=/usr/share/openssl -Wl,-rpath,'$(LIBRPATH)'

Can I use the same commands with which paths and what shall I replace (git checkout) tls1.3-draft-18?
Could someone help me to upgrade OpenSSL to 1.1.1, please.

I know Plesk will update OpenSSL as soon as possible by default, but I have to run my websites in present.

 

[learning_curve]

...Last weekend I reintialized server to Ubuntu 18.04.1 + Plesk 17.8.11 + OpenSSL 1.1.0g

That's the same as we have been running since late August and we're just as keen as you are to use TLSv1.3 but....

...In order to use TLS1.3 again I have to recompile OpenSSL with TLS1.3 support or to upgrade to 1.1.1. Already tried to update openssl on monday. Worked fine by this tutorial, in the end the installation I realized that it seemed to be useable, because of the wrong installation paths/directories related to Plesk's structure

If you independently, make this (admittedly very useful) change now, what will you do, when Ubuntu release TLSv1.3 / OpenSSL 1.1.1 support (they are normally quite fast with updates) This will then be followed by support within Plesk 17.5.3 / 17.8.11 or, perhaps only by switching to 17.9... Somebody from Plesk can probably tell us more. Maybe @IgorG

Plus, if you do independently make this change now and switch to TLSv1.3, your copy of Plesk itself will still be stuck at TLSv1.2 anyway - That's covered in THIS thread about the future TLSv1.3 upgrade of Plesk, which you've probably seen, but the the link is to the last post by @IgorG does which shows that this change is well underway now...

Could someone help me to upgrade OpenSSL to 1.1.1, please

If you definately do want to do it now, then without doubt @virtubox is the man to assist. Just look HERE

I know Plesk will update OpenSSL as soon as possible by default, but I have to run my websites in present.

Plesk cannot update OpenSSL for you. Only your OS provider (or you yourself, independently) can make this change

 

[virtubox]

Hi at all,
three weeks ago openssl 1.1.1 was released. The older and actual 1.1.0 versions will be supported only until next year (one year).
Last weekend I reintialized server to Ubuntu 18.04.1 + Plesk 17.8.11 + OpenSSL 1.1.0g. (providers package sources)
In order to use TLS1.3 again I have to recompile OpenSSL with TLS1.3 support or to upgrade to 1.1.1.
Already tried to update openssl on monday. Worked fine by this tutorial, in the end the installation I realized that it seemed to be useable, because of the wrong installation paths/directories related to Plesk's structure.
I suppose it must be similar to the installation of openssl draft18, described by @UFHH01 in his pagespeed tutorial:

cd /usr/share
git clone https://github.com/openssl/openssl.git
cd openssl
git checkout tls1.3-draft-18

./config shared enable-tls1_3 --prefix=/usr/share/openssl --openssldir=/usr/share/openssl -Wl,-rpath,'$(LIBRPATH)'

Can I use the same commands with which paths and what shall I replace (git checkout) tls1.3-draft-18?
Could someone help me to upgrade OpenSSL to 1.1.1, please.

I know Plesk will update OpenSSL as soon as possible by default, but I have to run my websites in present.

Hello @Dukemaster,

1) in fact, you do not need to install openssl 1.1.1 to be able to compile nginx with TLS v1.3 support. On all my servers, I only compile Nginx with the latest openssl release, but I do not upgrade openssl package installed from APT repository.

2) but to get TLS v1.3 working properly with Nginx, at the moment it require to patch openssl before compiling nginx. Here the openssl-patch github repository I'm currently using in my script.

Here the steps I follow :

# clone openssl repository
git clone https://github.com/openssl/openssl.git

# git checkout the latest stable release (1.1.1)
git -C ./openssl checkout OpenSSL_1_1_1

# clone openssl-patch repository
git clone https://github.com/hakasenyang/openssl-patch.git

# go in openssl directory and apply the patch
cd openssl
patch -p1 <../openssl-patch/openssl-equal-1.1.1_ciphers.patch

Then when I compile Nginx, I add the following argument to the command ./configure

--with-openssl=/usr/local/src/openssl \
--with-openssl-opt=enable-tls1_3 \

When Nginx compilation is done, the last step is to update Nginx ciphers_suite in /etc/nginx/conf.d/ssl.conf. Here the configuration I use :

   ##
   # SSL Settings
   ##
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 1d;
   ssl_session_tickets off;
   ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1

 

[Dukemaster]

Thanks a lot @virtubox. You did a really good job with your script, help and docs!!!
I wanted to ask You this weekend according to openssl-nginx-pagespeed here in board. Great that You already joined this topic.
After I upgraded mariadb from 10.1 to 10.2 today and tweaking my.cnf I want do install Redis first (now), then I will ready for the nginx/openssl/pagespeed feature which is the most tricky.
Question: Is your script ready and optimized for Ubuntu 18.04 with Plesk Onyx 17.8.11?
(I think so, but asking is the best anyway)

THANKS also for the detailed steps here in your posting, because
I already read lots of your documentations here in board. Very good that you also posted what has failed, but on the other side it hides a little the explicit successful install procedere. (The thread with @IgorG is 5 or 6 sites long).

 

[virtubox]

Hello @Dukemaster, my script is working on Ubuntu 16.04 & 18.04 LTS, and with Plesk from v17.5.3 to v17.9.6.

About Redis, on Ubuntu 18.04 LTS, you can install the latest redis-server release from chris-lea PPA :

sudo add-apt-repository ppa:chris-lea/redis-server
sudo apt-get update
sudo apt-get install redis-server -y

 

[learning_curve]

Further information @Dukemaster

FWIW Ubuntu released 18.10 Cosmic Cuttlefish yesterday - Ubuntu Release
Amongst many things, in there, is this note:

"...The Ubuntu kernel has been updated to the 4.18 based Linux kernel, our default toolchain has moved to gcc 8.2 with glibc 2.28, and we've also updated to openssl 1.1.1 and gnutls 3.6.4 with TLS1.3 support..."

All of these changes will be provided in the next point upgarde of Ubuntu 18.04
This will be 18.04.2 whose release date is February 2019

IF, the actions in the post made by @IgorG in this Other Thread happen on time, then by the end of February, Plesk users running Ubuntu 18.04 OS should also be running OpenSSL 1.1.1 c/w full TLS1.3 support in ALL areas of their servers

 

[Dukemaster]

Sorry for my late answer, but I was in trouble last two weeks.
THANKS a lot for the many detailed answers with great inspirations for the future.
Okay. Now winter time is rising with millions people staying in the warm home with their computers waiting to be entertained by our work.
I also think it's better to wait now. I ran Pagespeed for so long and miss the incredible site speed for reaching south america with my sites.
But here we are, for only few month I won't destroy my actual stable configuration with great PLESK - SOLID AS A ROCK on awesome Ubuntu 18.04.1