Question TLS 1.3 after Obsidian Upgrade

[Dukemaster]

Hi,
thanks again for the amazing PLESK Software !
Today I successfully performed the Upgrade over Plesk Update Panel.

Now, I realized that the new SSL configuration in Plesk panel is tricky.
I use ONLY NGINX webserver configuration! No nginx as proxy.
So I see that the etc/nginx/conf.d/ssl.conf changed in a very important step:
from
ssl_prefer_server_ciphers on;
to
ssl_prefer_server_ciphers off;
and this is always done by Plesk if I change the "new" SSL configuration in the subscription.
also the cipher suites are changed.

If I activate HSTS in subscription then I get double HSTS headers (SSLLabs).
So I disabled HSTS on subription level.

Please, do you know the configuration to use TLS 1.3 .
I get TLS 1.3 today by the following configuration, but PLESK changes the ssl.conf every time when someone changes the SSL configuration on subscription level over Plesk panel, for example only activating the main SSL option
"Securing website".

and how can I configure persistent SSL configuration in ssl.conf ?

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

Thanks

 

[learning_curve]

@Dukemaster You might get the answer that you need, if you post this quesion here: Important - Plesk Obsidian Releases

We are running TLSv1.3 on 17.8.11 and we have none of the problems that you've described above.

TLSv1.3 works well on our 17.8.11 setup with no problems so far. Some of the third party releases that are provided with 17.8.11 don't support TLSv1.3 though, only TLSv1.2 maximum, so it's not a 100% effective solution (unless you wish you upgrade all of those yourself...)

The Obsidian RTM release, in theory should rectify all these third party release shortfalls, as it uses later releases of them... Yes, we're looking forward to upgrading to Obsidian, like you have done already, but only when it's been formally released by Plesk and after that's reported back as going well for all new users. It shouldn't be too long before we know though as the official Plesk Obsidian RTM (Ready to Market) build is scheduled to be released tomorrow - September 25th!

You must be using an earlier ( Maybe RC4 18.0.18.1?) Obsidian build, so maybe the next RTM buld might fix those issues for you anyway? Certainly the Plesk people on that other thread ^^ will know for sure...

 

[learning_curve]

@Dukemaster One other thing... You can specify all of your own ciphers (which Plesk will then use in all of the replacement conf.ssl files). There's a Plesk page that covers that here: How to enable or disable TLS protocol versions in Plesk for Linux? Have a look at the "via command-line interface" part. That certainly works fine in 17.8.11 (well has done for us) but you'd need to doublecheck this for Obsidian, on that other thread, when you ask your other questions?

 

[Dukemaster]

Later today I activated TLS 1.3 in the panel.ini Editor.
There should be a solution, a little "How to" from PLESK.
Because I don't know what Plesk is configuring in the background.
I can confgure Nginx, the whole server, ssl.conf - but everything has to fit with Plesk together in the end.
In the moment Plesk overwrites some important configurations, but not everything.
Overwritten parts are the first 3
ssl_protocols, ssl_ciphers, ssl_prefer_server_ciphers

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20;
ssl_prefer_server_ciphers off;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_dhparam /etc/dhparam/dhparam4096.pem;

 

[themew]

We used the following as a test, without Plesk, and were successful at activating TLS 1.3

ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384;

We also tried and used successfully:

ssl_ciphers TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;

which also served TLS 1.3 and 1.2 using

ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:secp521r1:secp384r1;

We're excited about going to Obsidian and using TLS 1.3 with Plesk as well. Let us know how you get on...

 

[Dukemaster]

It's easy to use TLS 1.3 now.
You have to edit ssl.conf and insert the two lines from your first example. restart nginx.
So cool. So fast.
Problem: It's not persistent.
If you synchronize the SLL It configuration or sychronize the subcription or something else related to webserver configuration over Plesk Panel, then all changes are reverted. Back to standard configuration.

Be careful to edit the server preference, because I read somewhere in Plesk docs that the whole security level is changed, also other changes are set to default. Would be nice if Plesk suport team gives more informations.

I wait and look around. Thanks for help.

 

[learning_curve]

We used the following as a test, without Plesk, and were successful at activating TLS 1.3

ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384;

We also tried and used successfully:

ssl_ciphers TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;

which also served TLS 1.3 and 1.2 using

ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:secp521r1:secp384r1;

We're excited about going to Obsidian and using TLS 1.3 with Plesk as well. Let us know how you get on...

Very helpful post @themew FWIW We use the specifc "Intermediate compatibility (recommended)" settings from THIS MOZILLA PAGE because TLSv1.2 support is still required in addition to TLSv1.3 probably for quite a while yet, as providers slowly switch over to TLSv1.3 etc This page also confirms the 'ssl_prefer_server_ciphers off' i.e. Cipher preference: client chooses which relates to all these chosen ciphers now being secure by default (as opposed to previous cipher choices)

It's easy to use TLS 1.3 now.
You have to edit ssl.conf and insert the two lines from your first example. restart nginx.So cool. So fast.
Problem: It's not persistent

We can't comment on Obsidian as we don't use it yet. We can only comment on Onyx 17.8.11 which we are using currently. Yes, we too have modifed ssl.conf files for ALL of these services: apache | dovecot | nginx | proftpd | sw-cp-server and a modified main.cf file for postfix. They all work perfectly well but postfix should be much better when using Obsidian due to the later postfix release (which does support TLSv1.3) being supported by Obsidian

If you synchronize the SLL It configuration or sychronize the subcription or something else related to webserver configuration over Plesk Panel, then all changes are reverted. Back to standard configuration

Having already used this Plesk utility: #plesk bin server_pref -u -ssl-protocols '**your TLSv choices**' and this Plesk utility: # plesk bin server_pref -u -ssl-ciphers "**your specific cipher choices**' beforehand, when Plesk re-generates a conf.ssl file, all of your chosen settings are applied to it. We don't use the Plesk SSL It! extension at all, so obvioulsy can't comment on this aspect and what the differences are.

Be careful to edit the server preference, because I read somewhere in Plesk docs that the whole security level is changed, also other changes are set to default. Would be nice if Plesk suport team gives more informations. I wait and look around. Thanks for help.

See above re server preferences (both work okay for us). Maybe worth a mention because you posted about it previously and we might be wrong but as far as we are aware, in 17.8.11, the '[webserver] ssl.protocols = ssl.ciphers =' directives within the /opt/psa/admin/conf/panel.ini file are only related to the plesk bin http2_pref utility. The SSL protocol version for the Plesk login page itself is configured in the /etc/sw-cp-server/conf.d/ssl.conf file, nowhere else. Obsidian may be very different of course, but Obsidian users will be able to confirm things like this very soon...

 

[thinkingcap]

The SSL It issue with doubled up HSTS headers is a bug - EXTSSLIT-462

Hi,
thanks again for the amazing PLESK Software !
Today I successfully performed the Upgrade over Plesk Update Panel.


Thanks