• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

[SOLVED]NGINX and HTTP/2 | How to Enable TLS 1.0, TLS 1.1 and TLS 1.2

Hi PriyanA,
Have you tried adding them in...


/etc/nginx/conf.d/ssl.conf
Code:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

I hope it helps
Regards

Lloyd
 
@Lloyd_mcse Thank you!

My /etc/nginx/conf.d/ssl.conf

Code:
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

When HTTP/2 is DISABLED, Both Ciphers and ssl_protocols TLSv1 TLSv1.1 TLSv1.2; works Fine!
 
Well, ssl_protocols and ciphers used to be defined in the templates so what I did a while back was edit the templates for Nginx and add my own cipher suite, dhparam, ecdh curve etc, so perhaps thats why I'm not having the issue.
The template involved is...

/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
copy to
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

And edit.
Eg lines 33 to 51
PHP:
<?php if ($OPT['ssl']): ?>
    ssl_ecdh_curve              secp384r1;
    ssl_dhparam                 /etc/ssl/dhparams.pem;
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                    5m;
    ssl_session_cache           shared:SSL:5m;
    ssl_prefer_server_ciphers              on;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;  
    ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
<?php   endif ?>
<?php endif ?>

You'll get a warning about the custom template when enabling http2, but you can ignore that.
Let me know how you get on. Hopefully it will help.
Regards

Lloyd
 
Have you tried to enable required TLS protocols with sslmng command like

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

after enabling HTTP/2? What are the results?
 
@IgorG,

Still didn't work. TLS1 and TLS1.1 are not active when HTTP/2 enabled.

I can see /etc/nginx/conf.d/ssl.conf file has changed.

Code:
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

Disabling HTTP/2 immediately activate TLS1 and TLS1.1 long with TLS1.2 and /etc/nginx/conf.d/ssl.conf and file has changed to previously my posted /etc/nginx/conf.d/ssl.conf content.
 
Last edited:
ONLY TLS 1.2 is supported.
Must be a bug.
It is not a bug. It is strict adherence to the document RFC 7540 - https://tools.ietf.org/html/rfc7540#section-9.2
Implementations of HTTP/2 MUST use TLS version 1.2 or higher for HTTP/2 over TLS.
Actually it is a matter of compromise. If you want to support a wide range of browsers - you should not use HTTP/2 feature. If you want to use this new feature, you will have to accept the fact that absolutely all browsers will not work with this HTTP/2 protocol.
 
on update 12.5.30 Update #30 They have fixed this issue.

Not Sure why @IgorG mention that TLS 1 and TLS 1.1 can not be enabled on HTTP/2 Mode enabled in previous post.
 
Last edited:
Back
Top