• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

TLS 1.2 only working in Plesk panel and not on domains

Status
Not open for further replies.
D

DylanJ

New Pleskian
I have a server which I am using for multiple clients. Some with SSL enabled, some without. I have added custom ngingx conf files for nginxDomainVirtualHost.php and nginxWebmailPartial.php in /usr/local/psa/admin/conf/templates/custom and modified the following lines to try and harden security:

Code: 
ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers   on;

After reconfiguring using
Code: 
/usr/local/psa/admin/bin/httpdmng --reconfigure-all
I check in /etc/nginx/plesk.conf.d/vhosts/<domain>.conf and the changes are shown correctly there but browsers and online tools such as https://www.ssllabs.com/ssltest/ still say that the sites are using 128 bit encryption and TLS 1.0.

The Plesk admin panel itself displays 256 bit encryption and TLS 1.2. Can anyone can shed any light on anything I've missed or should check? I've searched online for hours for a solution with no luck
 
Try to go to /etc/nginx/ and run

# openssl dhparam -out dhparam.pem 4096

Note, it will take a long time. After that add to your lines

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;

and then

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

I hope it will help.
 
Additionally ssl_ciphers and ssl_protocols should be updated in server/nginxVhosts.php as well. Also ssl_ciphers should have : as separator, and doesn't have a quotes, i.e:

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
 
Bingo! Many thanks for your help, I'm now getting an 'A' on the SSL Server Test!
 
Last edited:
Status
Not open for further replies.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
645
Yaroslav_T
Yaroslav_T
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
Back
Top