[SOLVED]NGINX and HTTP/2 | How to Enable TLS 1.0, TLS 1.1 and TLS 1.2

[PriyanA]

Hi,

https://kb.plesk.com/en/128733

When HTTP/2 ENABLED, ONLY TLS 1.2 is supported.

How can I enable TLS 1.0 and TLS 1.1 along with TLS 1.2?

Thank you!

 

[Lloyd_mcse]

Hi PriyanA,
Have you tried adding them in...

/etc/nginx/conf.d/ssl.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

I hope it helps
Regards

Lloyd

 

[PriyanA]

@Lloyd_mcse Thank you!

My /etc/nginx/conf.d/ssl.conf

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

When HTTP/2 is DISABLED, Both Ciphers and ssl_protocols TLSv1 TLSv1.1 TLSv1.2; works Fine!

 

[Lloyd_mcse]

Well, ssl_protocols and ciphers used to be defined in the templates so what I did a while back was edit the templates for Nginx and add my own cipher suite, dhparam, ecdh curve etc, so perhaps thats why I'm not having the issue.
The template involved is...

/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
copy to
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

And edit.
Eg lines 33 to 51

<?php if ($OPT['ssl']): ?>
    ssl_ecdh_curve              secp384r1;
    ssl_dhparam                 /etc/ssl/dhparams.pem;
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                    5m;
    ssl_session_cache           shared:SSL:5m;
    ssl_prefer_server_ciphers              on;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;  
    ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
<?php   endif ?>
<?php endif ?>

You'll get a warning about the custom template when enabling http2, but you can ignore that.
Let me know how you get on. Hopefully it will help.
Regards

Lloyd

 

[PriyanA]

Thank you @Lloyd_mcse.

Yes, your solution seems like the only Solution at the moment.

Must be a bug.

Appreciate your support.

 

[Lloyd_mcse]

No problem, glad it helped.
Regards

Lloyd

 

[PriyanA]

Hope someone from Plesk will come up with something!

 

[IgorG]

Have you tried to enable required TLS protocols with sslmng command like

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

after enabling HTTP/2? What are the results?

 

[PriyanA]

@IgorG,

Still didn't work. TLS1 and TLS1.1 are not active when HTTP/2 enabled.

I can see /etc/nginx/conf.d/ssl.conf file has changed.

ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

Disabling HTTP/2 immediately activate TLS1 and TLS1.1 long with TLS1.2 and /etc/nginx/conf.d/ssl.conf and file has changed to previously my posted /etc/nginx/conf.d/ssl.conf content.

 

[IgorG]

ONLY TLS 1.2 is supported.

Must be a bug.

It is not a bug. It is strict adherence to the document RFC 7540 - https://tools.ietf.org/html/rfc7540#section-9.2

Implementations of HTTP/2 MUST use TLS version 1.2 or higher for HTTP/2 over TLS.

Actually it is a matter of compromise. If you want to support a wide range of browsers - you should not use HTTP/2 feature. If you want to use this new feature, you will have to accept the fact that absolutely all browsers will not work with this HTTP/2 protocol.

 

[Ankebut]

this Article is very good for tuning :


https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

 

[PriyanA]

on update 12.5.30 Update #30 They have fixed this issue.

Not Sure why @IgorG mention that TLS 1 and TLS 1.1 can not be enabled on HTTP/2 Mode enabled in previous post.