• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

TLS 1.2 only working in Plesk panel and not on domains

Status
Not open for further replies.
D

DylanJ

New Pleskian
I have a server which I am using for multiple clients. Some with SSL enabled, some without. I have added custom ngingx conf files for nginxDomainVirtualHost.php and nginxWebmailPartial.php in /usr/local/psa/admin/conf/templates/custom and modified the following lines to try and harden security:

Code: 
ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers   on;

After reconfiguring using
Code: 
/usr/local/psa/admin/bin/httpdmng --reconfigure-all
I check in /etc/nginx/plesk.conf.d/vhosts/<domain>.conf and the changes are shown correctly there but browsers and online tools such as https://www.ssllabs.com/ssltest/ still say that the sites are using 128 bit encryption and TLS 1.0.

The Plesk admin panel itself displays 256 bit encryption and TLS 1.2. Can anyone can shed any light on anything I've missed or should check? I've searched online for hours for a solution with no luck
 
Try to go to /etc/nginx/ and run

# openssl dhparam -out dhparam.pem 4096

Note, it will take a long time. After that add to your lines

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;

and then

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

I hope it will help.
 
Additionally ssl_ciphers and ssl_protocols should be updated in server/nginxVhosts.php as well. Also ssl_ciphers should have : as separator, and doesn't have a quotes, i.e:

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
 
Bingo! Many thanks for your help, I'm now getting an 'A' on the SSL Server Test!
 
Last edited:
Status
Not open for further replies.

Similar threads

T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
1K
Tessxr
T
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
1K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
971
moswak
M
V
Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?
Replies
2
Views
1K
IgorG
IgorG
Back
Top