• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

[SOLVED]NGINX and HTTP/2 | How to Enable TLS 1.0, TLS 1.1 and TLS 1.2

Hi PriyanA,
Have you tried adding them in...

/etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

I hope it helps
Regards

Lloyd
 
@Lloyd_mcse Thank you!

My /etc/nginx/conf.d/ssl.conf

Code: 
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

When HTTP/2 is DISABLED, Both Ciphers and ssl_protocols TLSv1 TLSv1.1 TLSv1.2; works Fine!
 
Well, ssl_protocols and ciphers used to be defined in the templates so what I did a while back was edit the templates for Nginx and add my own cipher suite, dhparam, ecdh curve etc, so perhaps thats why I'm not having the issue.
The template involved is...

/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
copy to
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

And edit.
Eg lines 33 to 51
PHP: 
<?php if ($OPT['ssl']): ?>
    ssl_ecdh_curve              secp384r1;
    ssl_dhparam                 /etc/ssl/dhparams.pem;
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                    5m;
    ssl_session_cache           shared:SSL:5m;
    ssl_prefer_server_ciphers              on;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;  
    ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
<?php   endif ?>
<?php endif ?>

You'll get a warning about the custom template when enabling http2, but you can ignore that.
Let me know how you get on. Hopefully it will help.
Regards

Lloyd
 
Have you tried to enable required TLS protocols with sslmng command like

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

after enabling HTTP/2? What are the results?
 
@IgorG,

Still didn't work. TLS1 and TLS1.1 are not active when HTTP/2 enabled.

I can see /etc/nginx/conf.d/ssl.conf file has changed.

Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

Disabling HTTP/2 immediately activate TLS1 and TLS1.1 long with TLS1.2 and /etc/nginx/conf.d/ssl.conf and file has changed to previously my posted /etc/nginx/conf.d/ssl.conf content.
 
Last edited:
PriyanA said:
ONLY TLS 1.2 is supported.
Click to expand...
PriyanA said:
Must be a bug.
Click to expand...
It is not a bug. It is strict adherence to the document RFC 7540 - https://tools.ietf.org/html/rfc7540#section-9.2
Implementations of HTTP/2 MUST use TLS version 1.2 or higher for HTTP/2 over TLS.
Click to expand...
Actually it is a matter of compromise. If you want to support a wide range of browsers - you should not use HTTP/2 feature. If you want to use this new feature, you will have to accept the fact that absolutely all browsers will not work with this HTTP/2 protocol.
 
on update 12.5.30 Update #30 They have fixed this issue.

Not Sure why @IgorG mention that TLS 1 and TLS 1.1 can not be enabled on HTTP/2 Mode enabled in previous post.
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Issue apache2 proxy target - wrong ip-address
Replies
4
Views
4K
Jan
J
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
348
Leta
L
E
Issue TLS 1.2 and 1.3 only
Replies
2
Views
2K
Benemortasia
B
C
Issue Errors with Plesk scheduled backups
Replies
2
Views
741
cmartinez127
C
A
Question Assistance Needed: Setting Up Reverse Proxy for Joplin Server on Plesk VPS
Replies
0
Views
923
alborworld
A
Back
Top