• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

[SOLVED]NGINX and HTTP/2 | How to Enable TLS 1.0, TLS 1.1 and TLS 1.2

Hi PriyanA,
Have you tried adding them in...

/etc/nginx/conf.d/ssl.conf
Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

I hope it helps
Regards

Lloyd
 
@Lloyd_mcse Thank you!

My /etc/nginx/conf.d/ssl.conf

Code: 
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

When HTTP/2 is DISABLED, Both Ciphers and ssl_protocols TLSv1 TLSv1.1 TLSv1.2; works Fine!
 
Well, ssl_protocols and ciphers used to be defined in the templates so what I did a while back was edit the templates for Nginx and add my own cipher suite, dhparam, ecdh curve etc, so perhaps thats why I'm not having the issue.
The template involved is...

/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
copy to
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

And edit.
Eg lines 33 to 51
PHP: 
<?php if ($OPT['ssl']): ?>
    ssl_ecdh_curve              secp384r1;
    ssl_dhparam                 /etc/ssl/dhparams.pem;
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                    5m;
    ssl_session_cache           shared:SSL:5m;
    ssl_prefer_server_ciphers              on;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;  
    ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
<?php   endif ?>
<?php endif ?>

You'll get a warning about the custom template when enabling http2, but you can ignore that.
Let me know how you get on. Hopefully it will help.
Regards

Lloyd
 
Have you tried to enable required TLS protocols with sslmng command like

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

after enabling HTTP/2? What are the results?
 
@IgorG,

Still didn't work. TLS1 and TLS1.1 are not active when HTTP/2 enabled.

I can see /etc/nginx/conf.d/ssl.conf file has changed.

Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

Disabling HTTP/2 immediately activate TLS1 and TLS1.1 long with TLS1.2 and /etc/nginx/conf.d/ssl.conf and file has changed to previously my posted /etc/nginx/conf.d/ssl.conf content.
 
Last edited:
PriyanA said:
ONLY TLS 1.2 is supported.
Click to expand...
PriyanA said:
Must be a bug.
Click to expand...
It is not a bug. It is strict adherence to the document RFC 7540 - https://tools.ietf.org/html/rfc7540#section-9.2
Implementations of HTTP/2 MUST use TLS version 1.2 or higher for HTTP/2 over TLS.
Click to expand...
Actually it is a matter of compromise. If you want to support a wide range of browsers - you should not use HTTP/2 feature. If you want to use this new feature, you will have to accept the fact that absolutely all browsers will not work with this HTTP/2 protocol.
 
on update 12.5.30 Update #30 They have fixed this issue.

Not Sure why @IgorG mention that TLS 1 and TLS 1.1 can not be enabled on HTTP/2 Mode enabled in previous post.
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
692
Alban Staehli
A
B
Resolved How do I enable FTPS?
Replies
10
Views
1K
Kaspar
K
Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
J
Issue apache2 proxy target - wrong ip-address
Replies
5
Views
5K
cmaxwell
C
flederwiesel
Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication
Replies
0
Views
670
flederwiesel
flederwiesel
Back
Top