Issue TLS/SSL configuration - DHE ciphers not working

[Michal Bittner]

Hi,
we've updated our TLS/SSL configuration as follows (apache with nginx):

plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
/usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
After checking the web with "SSL Labs" testing suite, we've found out, that all "DHE" ciphers are missing.

What's wrong?

Best regards
Michal

 

[IgorG]

I would like to know why you are not using SSLIt! extension to get a guaranteed result on SSLLabs?

 

[Butle1r]

I need to give you kudos for giving me the tip on Chrome not supporting DHE and going from that point to at last settling this Tell The Bell.

 

[Michal Bittner]

@IgorG : I need selected DHE ciphers for some backward compatibility with older devices. SSLIt! extension is installed, but it doesn't resolve my issue. Furthermore "TLS versions and ciphers by Mozilla" relies on older version (4.0) and we want to use Intermediate from version 5.0 : https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json
The questions are :
- Is it a bug in Plesk?
- Is there any way how to configure it from Plesk without modifying Apache/Nginx/other system config files?

 

[IgorG]

Ciphers for Apache can be changed in the file /etc/httpd/conf.d/ssl.conf and for nginx in /etc/nginx/conf.d/ssl.conf
Try it and do not forget to restart webserver after changing.

 

[learning_curve]

@IgorG : I need selected DHE ciphers for some backward compatibility with older devices. SSLIt! extension is installed, but it doesn't resolve my issue. Furthermore "TLS versions and ciphers by Mozilla" relies on older version (4.0) and we want to use Intermediate from version 5.0 : https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json The questions are : - Is it a bug in Plesk?- Is there any way how to configure it from Plesk without modifying Apache/Nginx/other system config files?

@Michal Bittner The following info may help you. @IgorG has probably forgotten more than we'll ever know about this in Plesk so do follow his advice, but FWIW some time ago, we had quite a detailed and very helpful reply as part of an associated issue service ticket that we had raised some time ago with Plesk Support.

Here's the relevant parts from that, for you: There's quite a few conf.ssl files that if you modify them yourself, can be overwritten / might be effected during some of the Plesk upgrades and it's not just those already mentioned. Not a finite list sorry, but the ones relevant to us at that time included: apache / dovecot / nginx / postfix / proftpd / sw-cp-server. So an ideal scenario would be, to ensure that all of the ciphers that you want, are used by default, in all of those conf.ssl files (during any Plesk upgrades) as opposed to editing all of the ssl.conf files yourself each time! This is possible with an additional CLI command, which is shown in the second part of the Plesk article How to enable or disable TLS protocol versions in Plesk for Linux? We've always used that and have never had an issue since. We currently use the "...Intermediate from version 5.0" that you've posted above, which, includes two DHE ciphers as you know. No problems at Qualysis with DHE recognition etc and no problems after any Plesk upgrades. We do use the SSLIt! extension but NOT the "TLS versions and ciphers by Mozilla" section as there's no need in our case