Resolved TLS 1.3 support

[nMLxTMJTZ]

Hi, TLS 1.3 is supported in plesk 17.5.3 and debian 8?

 

[UFHH01]

Hi camaran,

you might know that NGINX supports "TLS 1.3" since NGINX version "1.13", which brings us back to ask for YOUR current used NGINX version on your server.

If you use the current "sw-nginx" package on your server, instead of an own compiled NGINX version, you will currently see:

nginx -V

nginx version: nginx/1.11.10

In this case, the answer to your question is ( currently ): No.



... but IF you use your own compiled NGINX version ( >= 1.13 ), then the answer to your question is: Yes.

 

[nMLxTMJTZ]

and i only set

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; or here is a specific cipers also?

 

[UFHH01]

Hi camaran,

which cipher-list you use is totally up to you and an INDIVIDUAL choice. Just check your modifications with the inbuild NGINX check-config-test:

nginx -t

... and if you don't get any errors/issues/problems as output, you are fine and setup your configuration correctly.

 

[Dukemaster]

Hi @UFHH01
this thread is tagged as solved, but I have an additional questions which refers directly to TLS 1.3 support.
Yesterday, I added TLS1.3 in my ssl.conf in /etc/nginx/conf.d/ and changed the integer value to 4 in Firefox 56.0 64bit (about:config -> security_tls_version_max).
Then as usual nginx -t and service nginx restart.
But in Qualys there is no change, this might be correct for the reason that the function is handled as a draft.

Could it be possible that TLS 1.3 isn't officially supported? Or did I have forgotten to configure something else?
And as second question: How can I use it, if it's possible in general?
I use nginx 1.13.2 compiled with or for ngx_pagespeed.

Lots of greets

 

[UFHH01]

Hi Dukemaster,

Could it be possible that TLS 1.3 isn't officially supported?

Answer from the Qualys SSL Labs - site:

For TLS 1.3 tests, we currently support draft version 18.

It depends as well at your current used "openssl" package on your server, as only from "OpenSSL 1.1.1" version, the TLSv1.3 is supported.

As I know, that you use Ubuntu 16.04, could you provide the output of the commands:

openssl version

and

apt-cache show openssl

 

[virtubox]

Hi @UFHH01
this thread is tagged as solved, but I have an additional questions which refers directly to TLS 1.3 support.
Yesterday, I added TLS1.3 in my ssl.conf in /etc/nginx/conf.d/ and changed the integer value to 4 in Firefox 56.0 64bit (about:config -> security_tls_version_max).
Then as usual nginx -t and service nginx restart.
But in Qualys there is no change, this might be correct for the reason that the function is handled as a draft.

Could it be possible that TLS 1.3 isn't officially supported? Or did I have forgotten to configure something else?
And as second question: How can I use it, if it's possible in general?
I use nginx 1.13.2 compiled with or for ngx_pagespeed.

Lots of greets

To support TLS 1.3 with Nginx, it require to clone the github repository and to compile Nginx with this version.

For example, I compile nginx in /usr/src . So I clone the repository, then I set the release I want to use :

git clone https://github.com/openssl/openssl.git
cd openssl
git checkout tls1.3-draft-18

And when I configure nginx before the compilation, I add the following lines to enable TLS 1.3 support :

--with-openssl=/usr/src/openssl \
--with-openssl-opt=enable-tls1_3

Then, in my nginx configuration I can use :

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384';

 

[Dukemaster]

Thanks for your help @UFHH01 and @virtubox
@UFHH01 Thanks! Since AMP B.V. updated ngx_pagespeed to version 1.12.34.3-stable as stable few days ago, I also want to try to upgrade my ngx_pagespeed. This only as additional information which don't refer to this topic here, but to your real good tutorial compiling 1.13.2 nginx with brotli and ngx_pagespeed. But the decision to do it will depend also on openssl environment.
The output of my additional self-installed openssl version is:

root@server:~# openssl version
OpenSSL 1.0.2l  25 May 2017

and here is the system/Plesk openssl via apt_cache:

root@server:~# apt-cache show openssl
Package: openssl
Architecture: amd64
Version: 1.0.2g-1ubuntu4.8
Priority: standard
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian OpenSSL Team <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 934
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.2g)
Suggests: ca-certificates
Filename: pool/main/o/openssl/openssl_1.0.2g-1ubuntu4.8_amd64.deb
Size: 491720
MD5sum: ea3ad9b613c675a31xxxx
SHA1: 7eccd5cea88d4a117a1xxxxxx
SHA256: 3a1d993937d7fc05f65408exxxxx
Description-en: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Description-md5: 9b6de2bb6e1d9016aeb0f00bcf6617bd
Task: standard, ubuntu-core, ubuntu-core, mythbuntu-frontend, mythbuntu-backend-slave, mythbuntu-backend-master, ubuntu-touch-core, ubuntu-touch, ubuntu-sdk-libs-tools, ubuntu-sdk
Supported: 5y

Package: openssl
Architecture: amd64
Version: 1.0.2g-1ubuntu4.6
Priority: standard
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian OpenSSL Team <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 934
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.2g)
Suggests: ca-certificates
Filename: pool/main/o/openssl/openssl_1.0.2g-1ubuntu4.6_amd64.deb
Size: 491668
MD5sum: 5a10ca1cfbd6ebad80264e2c2106c752
SHA1: 9ffe8c4291c09fd996a3afafdf85df8f5d9520ed
SHA256: 18f4d36f3e624be6ecfab385cd2e2fe4e5d7abc8030505dcacfa3ab243253cd1
Description-en: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Description-md5: 9b6de2bb6e1d9016aeb0f00bcf6617bd
Task: standard, ubuntu-core, ubuntu-core, mythbuntu-frontend, mythbuntu-backend-slave, mythbuntu-backend-master, ubuntu-touch-core, ubuntu-touch, ubuntu-sdk-libs-tools, ubuntu-sdk
Supported: 5y

Package: openssl
Priority: standard
Section: utils
Installed-Size: 934
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian OpenSSL Team <[email protected]>
Architecture: amd64
Version: 1.0.2g-1ubuntu4
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.2g)
Suggests: ca-certificates
Filename: pool/main/o/openssl/openssl_1.0.2g-1ubuntu4_amd64.deb
Size: 492190
MD5sum: 8280148dc2991da94be5810ad4d91552
SHA1: b5326f27aae83c303ff934121dede47d9fce7c76
SHA256: e897ffc8d84b0d436baca5dbd684a85146ffa78d3f2d15093779d3f5a8189690
Description-en: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Description-md5: 9b6de2bb6e1d9016aeb0f00bcf6617bd
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 5y
Task: standard, ubuntu-core, ubuntu-core, mythbuntu-frontend, mythbuntu-backend-slave, mythbuntu-backend-master, ubuntu-touch-core, ubuntu-touch, ubuntu-sdk-libs-tools, ubuntu-sdk
root@server:~#

@virtubox if I upgrade pagespeed tonight I have to recompile nginx again, perhaps also with a newer nginx version, (I just started to look around what is possible) perhaps not, I will also add the handler
--with-openssl-opt=enable-tls1_3. It looks like a good idea from first the look. Thanks for it.

 

[themew]

So now that TLS 1.3 has been approved, can we add it to our NGINX config in Plesk Onyx or do we have to wait for the new Onyx release?

 

[virtubox]

So now that TLS 1.3 has been approved, can we add it to our NGINX config in Plesk Onyx or do we have to wait for the new Onyx release?

Hello,
we have to wait for the next stable openssl release ; v1.1.1

 

[learning_curve]

So now that TLS 1.3 has been approved, can we add it to our NGINX config in Plesk Onyx or do we have to wait for the new Onyx release?

See the helpful reply ^^ from @virtubox ...At the time of posting this reply, we think Plesk Onyx 17.8.11 is still not yet at General Release status, so you if you're playing it safe, this upgrade path still isn't an option for fully applied TLSv1.3 status....yet. However, even when this upgrade is at General Release status, the elephant in the room for TLSv1.3 is ironically, Plesk itself aka sw-cp-server Unless this is also upgraded before Plesk Onyx 17.8.11 is made General Release, regardless of any of the other required changes (e.g. openssl) being applied, sw-cp-server will still not run at TLSv1.3 because of the old release of Nginx that it's complied on. Read this reply for more specific info on a separate thread.

 

[IgorG]

According to info Can I use... Support tables for HTML5, CSS3, etc some browsers don't support TLSv1.3 yet.
So, we don't see a rush to support of TLSv1.3 for sw-cp-server. We would expect more benefits from supporting it for clients' sites rather than for panel itself to speed up of SSL handshake process An Overview of TLS 1.3 - Faster and More Secure

 

[learning_curve]

Our view: Every time the question is asked, about a Plesk Panel / Product that supports TLSv1.3, it results in a vague, sort of noncommittal answer Every time! There are various arguments proffered along the lines of '..the Plesk Panel is secure enough already..." / "...we are focused on our client's web usage and data..." etc so it seems... that TLSv1.3 related end-user's feedback for whatever reason, is possibly just "...neatly filed away"?

TLSv1.3 via OpenSSL 1.1.1 HAS now been release (SEE HERE) and therefore, reasonably soon, OS providers will upgrade their packages accordingly. In some cases, quite quickly too, because they are already running OpenSSL 1.1.0.* and as THIS PAGE advises; "...OpenSSL 1.1.1 release will include support for TLSv1.3. The new release will be binary and API compatible with OpenSSL 1.1.0..."

The Can I use... data linked above, is a tiny bit misleading really, because most providers (including Plesk) have waited until TLSv1.3 via OpenSSL 1.1.1 was finally released, before dealing with the issue. Quite understandable, considering the mammoth number of draft versions released previously. We ourselves got involved early on (several modifications made to achieve TLSv1.3 via OpenSSL 1.1.1 at draft 18....) but then binned the idea and joined the "...wait until is was finally released" camp.

However, the Plesk Panel should NEVER be the weakest part in the chain on a server, which it will be, after OS and API upgrades are made, which support TLSv1.3 via OpenSSL 1.1.1. and, it therefore remains the only item that does NOT support it. TLSv1.3 isn't just about speed, it's also about security. If people are still using anything less than TLSv1.2 everywhere, then the subtlety of that point may be lost, but lots of providers binned TLSv1.1 (and all earlier releases) some time ago, specifically for security reasons. It won't be that long, before TLSv1.2 also becomes depreciated by these same providers...such is the might of progress. It will be interesting to watch cPanel's approach now that the TLSv1.3 via OpenSSL 1.1.1 release is "official" ...at last.

Ideally, fingers crossed and in a perfect world, Plesk WILL deal with this and release their upgraded evo-version of sw-cp-server reasonably soon c/w TLSv1.3 via OpenSSL 1.1.1. If they also upgrade Onyx 17.8.11 to having been compiled on Nginx 1.15.* (which will be Stable and not Mainline by then) well that's Nirvana Until then, is this thread really 'resolved' ????

 

[IgorG]

and release their upgraded evo-version of sw-cp-server reasonably soon c/w TLSv1.3

Just wait a bit. We definitely are going to release it. I suppose it may be till the end of this year.

 

[Rar9]

Any update on this tls v1.3 for standard plex nginx install?

 

[Dukemaster]

We get it with 17.9 in few weeks, I guess. We will use it together with ngx_pagespeed again for better speed and more security.
Great if Plesk will support the basics (OpenSSL 1.1.1). Then it's easy to compile nginx with pagespeed. We won't have to wait long....

 

[learning_curve]

Just wait a bit. We definitely are going to release it. I suppose it may be till the end of this year.

Well... the end of the year came and went.... and.... still no release or any official changes

Just so there's no confusion here, the above reply from @IgorG ^^ was in reference to TLSv1.3 being supported in sw-cp-server i.e. the Plesk Panel. It was NOT in reference to to TLSv1.3 being supported in all the packages managed by Plesk 17.0.17 / 17.5.3 / 17.8.11 / 17.9 ALL of which, are dependent on TLSv1.3 support, being officially released direct from their respective OS FIRST. Plesk can only be updated to provide support for all those packages managed by Plesk after the OS releases... Unless, people choose to run their own customization process (see here)

As we're currently on Ubuntu 18.04.01 LTS, we have a scheduled date for the official OS support of TLSv1.3 via the next point release, which is 18.04.2, whose release date is February 2019 (see here) By the time this is released (and it's very close now...) Plesk surely MUST be ready and prepared to release TLSv1.3 support for sw-cp-server i.e. the Plesk Panel, otherwise there's a massive inconsistencey / security difference between all the packages managed by Plesk and the Plesk Panel itself... That would be a pretty spectacular fail on many different levels.. It's worth remembering this one important current fact: TLSv1.3 which is the only version of TLS that currently has no known flaws or exploitable weaknesses.

In addition, although Plesk 17.8.11 had a recent update to running Nginx 1.14.1, because of bugs, Plesk MUST also be upgraded to Nginx 1.14.2, which is the current stable release (see here) in order for all this all to work correctly. Quite surprising that this hasn't been done yet by Plesk as a normal change update There are a number of urgent fixes, includung a TLSv1.3 issue, hence it's need, prior to all this working correctly when supporting TLSv1.3

This thread isn't really solved until all this work has been completed, but the OP's initial question has been answered so...