• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved SSLprotocols TLS

DieterWerner

DieterWerner

Regular Pleskian
<IfModule mod_ssl.c>
#SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 (the default)
#SSLProtocol -TLSv1 -TLSv1.1 -TLSv1.2 +TLSv1.3 (Apache doesn't restart)
SSLProtocol -TLSv1 -TLSv1.1 +TLSv1.2 # (Apache restarts)
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
</IfModule>

How can I enable TLSv1.3?
 
Check your OS. Before you can use TLSv1.3 your OS needs to provide an openssl version with TLSv1.3 support and also, all your applications (such as Apache) need to be compiled/linked to that openssl version with TLSv1.3 support.
 
Monty said:
Check your OS. Before you can use TLSv1.3 your OS needs to provide an openssl version with TLSv1.3 support and also, all your applications (such as Apache) need to be compiled/linked to that openssl version with TLSv1.3 support.
Click to expand...
Thanks!
 
CentOS7
File: etc/httpd/conf.d/ssl.conf

<IfModule mod_ssl.c>
SSLProtocol -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
</IfModule>

# service httpd status
say:
AH00526: Syntax error on line 220 of /etc/httpd/conf.d/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'

Line 220 contains:
SSLCipherSuite HIGH:!aNULL:!MD5

What's going wrong?
 
Your OS does not support TLSv1.3. TLS 1.3 requires openssl 1.1.1 or higher and CentOS 7 has 1.0.2k
 
Monty said:
Your OS does not support TLSv1.3. TLS 1.3 requires openssl 1.1.1 or higher and CentOS 7 has 1.0.2k
Click to expand...
Yes - you are right ...
but did you see TLSv1.3 here?

<IfModule mod_ssl.c>
SSLProtocol -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
</IfModule>
 
/usr/local/psa/bin/server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'
woks but :
TLSv3 is still enabled (and causes errors in # service httpd status)
and:
TLSv1 is disabled but needed for 'drweb' and 'Plesk Premium Antivirus'
so TLSv1 must be enabled in /etc/sw-cp-server/conf.d/ssl.conf

I think that's not really good handled by plesk.
 
@DieterWerner Other than CentOS 7 as OS, no details have been posted of what you're actually using (e.g. Plesk Version, OpenSSL Version which you may have customized etc) so this is just a guess and is more than likely, not, your specific issue, but, there's a bug related to TLSv1.3 always being enabled in Nginx 1.14.1. The issue is item 7 shown in THIS change log for Nginx 1.14.2

FWIW Plesk haven't upgraded 17.8.11 yet and yes... it's complied with Nginx 1.14.1 o_O But, Plesk have upgraded 17.5.3 which is now complied with Nginx 1.14.2
 
learning_curve said:
@DieterWerner Other than CentOS 7 as OS, no details have been posted of what you're actually using (e.g. Plesk Version, OpenSSL Version which you may have customized etc) so this is just a guess and is more than likely, not, your specific issue, but, there's a bug related to TLSv1.3 always being enabled in Nginx 1.14.1. The issue is item 7 shown in THIS change log for Nginx 1.14.2
Click to expand...

OS version:
CentOS Linux release 7.6.1810 (Core)

openssl version:
OpenSSL 1.0.2k-fips

nginx version:
nginx/1.14.1

Plesk version:
17.8.11 Update #42

learning_curve said:

FWIW Plesk haven't upgraded 17.8.11 yet and yes... it's complied with Nginx 1.14.1 o_O But, Plesk have upgraded 17.5.3 which is now complied with Nginx 1.14.2
Click to expand...

Do you really advice me to downgrad plesk from v17.8.11 to v 17.5.3? ;-)
 
Last edited:
@DieterWerner That's clearer. Okay so you've not recompiled Nginx yourself (or via another supplier) using OpenSSL 1.1.1 which means the Nginx 1.14.1 bug present in Plesk 17.8.11 is very, very, unlikely to be the issue, but it was worth checking.

NO is the answer to your question about downgrading to 17.5.3. As mentioned ^^ 17.8.11 / Nginx 1.14.1 is very, very, unlikely to be the cause of your issue, so it would be pointless. The Nginx link we posted explains why, pretty clearly in your case.

As @Monty correctly said in his earlier post, using the specific setup that you've posted, you are not, currently (and cannot anyway) run TLSv1.3. If we've read all your posts correctly, you initially added TLSv1.3 as an SSL Protocol within etc/httpd/conf.d/ssl.conf not realising or knowing this information, but, that action, then gave you the errors you've posted about. Plus, the errors have not been corrected after you removed TLSv1.3 as an SSL Protocol within etc/httpd/conf.d/ssl.conf. That's how it reads so far (we think?)

Assuming that's ^^ correct, then some initial basic questions;
a) Do you run # apachectl -t and receive a # Syntax OK after changing things and before restarting Apache each time ? We ask because that would normally have allowed you to see / correct any errors like these, beforehand.
b) Using your corrected, latest version of etc/httpd/conf.d/ssl.conf what happens if you run a) now? If you're just referred back to AH00526: Syntax error on line 220 of /etc/httpd/conf.d/ssl.conf: again, have you double-checked ALL the content of etc/httpd/conf.d/ssl.conf and ensured it's correct everywhere? Meaning; you've posted your SSLProtocols being within <IfModule mod_ssl.c> section of the conf file, but they could also be in the main .conf body for example. Unlikley, if the line number is as you've posted, but again, worth double-checking.
c) Have you tried creating a fresh, new (100% correct) etc/httpd/conf.d/ssl.conf, replacing the current one (having taken a back up copy etc) and then running a)? What happens then?
d) After b) or c) have you re-booted your server, just to iron that slim possibility out too?

From the info you've posted so far, it appears to be nothing more than an initial misconfiguration via a typo in that conf file, so you should be able to correct it by backtracking / checking all the details / correcting it etc.

You've not mentioned that you made any TLSv1.3 related changes to Nginx (or indeed, that you're using Nginx as well as Apache) so at this point, we're assuming that you haven't and that you're not ;)
 
Yes, the errors have not been corrected after I removed TLSv1.3 as an SSL Protocol within etc/httpd/conf.d/ssl.conf
The error messages point to a line number that doesn't contain TLSv1.3 - so I think there must be another file (or something inside a cache) .
Yes, I double-checked ALL the content of etc/httpd/conf.d/ssl.conf
the <IfModule mod_ssl.c> section was the only one I changed (and changed back).

# apachectl -t
Syntax OK

Yes, I uploadet a fresh, new (100% correct) etc/httpd/conf.d/ssl.conf (the file I saved before I did changes)

Yes, I restarted Apache as well as the Server (one after one).

No, I didn't any changes to nginx.
 
Wow! That's pretty challenging. Syntax OK but Staus has errors... :(
You mentioned the possibily of this being in a cache somewhere, which kinda makes sense, but is beyond our Apache knowledge...If it is, still surprised that it has survived both an Apache re-start and a Server re-boot :confused:
The last couple of posts have made this a lot clearer now, so others may identify this sooner rather than later
One last question? Have you run a test on here: SSL Server Test (Powered by Qualys SSL Labs) and on here: SSL Security Test | High-Tech Bridge and did TLSv1.3 show as being active on the results?
 
So the 'error' as such, is having a very limited effect externally then, but it is still present somewhere, within your Apache setup. Hopefully, an Apache expert from within this forum may identify where...

That situation is much better than the Nginx related issue originally mentioned, which was captured HERE where someone had unwittingly, upgraded OpenSSL outside of the OS updates and the Nginx 1.14.1 related bug had only just been identified.

You could run TLSv1.3 if you really wanted to, but only IF... you updated Apache yourself (have a read of THIS post, but there are many alternatives now as well as this) and then Plesk, finally upgrade 17.8.11 to Nginx 1.14.2** which would cover you externally, but your Plesk Panel still couldn't run TLSv1.3 until that's upgraded too (by Plesk) because it's still compiled with a very old o_O Nginx release: # sw-cp-serverd -V nginx version: nginx/1.11.10 ~ and this can't run TLSv1.3 regardless.

Edit **After we posted the above, but that's been done today. Plesk 7.8.11 via upgrade #43 now uses Nginx 1.14.2 :)
 
Last edited:
I'm going crazy ...
today # service httpd status doesn't show any errors.
I think the file
/bin/systemctl
was the badboy because it hasn't been updated in time.
 
Last edited:
You must log in or register to reply here.

Similar threads

Kulturmensch
Resolved TLS versions for nginx
Replies
2
Views
221
Kulturmensch
Kulturmensch
D
Issue Can't enable TLSv1 and TLSv1.1 on Ubuntu 22.04
Replies
4
Views
7K
omniscient
O
J
Issue not receiving some emails from hotmail (ms emails basically)
Replies
5
Views
1K
jorge ceballos
J
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
Back
Top