• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question TLS versions and ciphers by Mozilla

M

mr-wolf

Silver Pleskian
Plesk Guru
I noticed this server-wide setting in Obsidian.

Manually I added:

cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;

I assume this is its Plesk counterpart.
Is it?

Should I turn it on and then delete /etc/nginx/conf.d/ssl.conf ???
I didn't just test it because I was afraid they would clash.
 
@mr-wolf If it's of any help (you may already know) but you can define via CLI, both SSL Protocols & your own specific Cipher choices as defaults in Plesk (which means they become part of any relevant SSL.conf files incl /etc/nginx/conf.d/ssl.conf). The Plesk Page that gives the details is here: How to enable or disable TLS protocol versions in Plesk for Linux?

We've used this without any issues, although we chose not to support TLSv1.0 or TLSv1.1 so our own choices are different than yours, but they're taken direct from HERE at Mozilla. That page also explains the reason behind the choice of "ssl_prefer_server_ciphers off" as well, which again, you probably know already but others may not, yet :)
 
My choices are relatively old choices as well. ;-)
They became the focus of my attention then and they haven't been for a while
At a later date I will update them. Thanks
 
It appears Obsidian only uses version 4 of Mozillas implementations of TLS settings. Will there be a switch to version 5?
Or a choice to use version 5 instead?
 
Heinrich said:
It appears Obsidian only uses version 4 of Mozillas implementations of TLS settings. Will there be a switch to version 5? Or a choice to use version 5 instead?
Click to expand...
It doesn't really matter what ciphers or protocols are specified by default in Obsidian, because you can change the settings in all the ssl.conf files for apache, dovecot, nginx, postfix, proftpd, sw-cp-server etc etc yourself, to suit the specification and level that you want. Where and how you change these settings is relevent if you want to avoid them being overwritten by Obsidian duirng a future upgrade though. You can edit all the ssl.conf files yourself, or, you can apply serverwide settings (read THIS Plesk page. Just add TLSv1.3 to those settings if you need that too) or, you can choose from different Mozilla options within the Plesk SSL It! Extention. It's best if you take a server admin approach before you start though, to ensure one option doesn't conflict with another and, that you're aware of how to monitor and maintain your setting selections afterwards.
 
But aren't those files overwritten occasionally, when updates and such happen?

Also, can I use PLESK SLL it! together with the Let'sEncrypt extension ?
 
Heinrich said:
But aren't those files overwritten occasionally, when updates and such happen?
Click to expand...
If you don't take a sys admin approach before you start, then yes, that's possible. Otherwise, no it's avoidable
Heinrich said:
Also, can I use PLESK SLL it! together with the Let'sEncrypt extension ?
Click to expand...
Why not? We do, but see the previous comment... You're asking that question probably because you still need to do more detailed research before you finally decide what policy you will put into place on your own server. Measure three times / Cut once < as all great joiners say!
 
What does "sys admin approach" mean, exactly.

I usually try to find my way through tutorials, and try to check server settings with ssllabs-test service.

Adding server rules to the apache/nginx settings per domain didn't always yield results.
And therefore I wonder if there is a central place to make adjustments to TLS handshake policies.

Like enabling cache, session resumption, 0-rtt and stuff like that, and let PLESK manage to apply those to the configs of the various services, if applicable.
 
Heinrich said:
What does "sys admin approach" mean, exactly
Click to expand...
It's just a phrase used in replies above. Meaning... that if you operate with server administrator levels of experience, knowledge, processing and planning, then what you want to do will be much easier than best guessing ;) An example? Tutorials are handy yes, but aren't always real life and ssllabs-test service is just one of many different testing sites than can be used...
 
You must log in or register to reply here.

Similar threads

D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
C
Question SSLv3 Error on Dovecot
Replies
5
Views
7K
mow
M
O
Forwarded to devs Nginx compile by Plesk and chipers
Replies
2
Views
1K
OverWolf
O
Back
Top