• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question TLS versions and ciphers by Mozilla

M

mr-wolf

Silver Pleskian
Plesk Guru
I noticed this server-wide setting in Obsidian.

Manually I added:

cat /etc/nginx/conf.d/ssl.conf
Code: 
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;

I assume this is its Plesk counterpart.
Is it?

Should I turn it on and then delete /etc/nginx/conf.d/ssl.conf ???
I didn't just test it because I was afraid they would clash.
 
@mr-wolf If it's of any help (you may already know) but you can define via CLI, both SSL Protocols & your own specific Cipher choices as defaults in Plesk (which means they become part of any relevant SSL.conf files incl /etc/nginx/conf.d/ssl.conf). The Plesk Page that gives the details is here: How to enable or disable TLS protocol versions in Plesk for Linux?

We've used this without any issues, although we chose not to support TLSv1.0 or TLSv1.1 so our own choices are different than yours, but they're taken direct from HERE at Mozilla. That page also explains the reason behind the choice of "ssl_prefer_server_ciphers off" as well, which again, you probably know already but others may not, yet :)
 
My choices are relatively old choices as well. ;-)
They became the focus of my attention then and they haven't been for a while
At a later date I will update them. Thanks
 
It appears Obsidian only uses version 4 of Mozillas implementations of TLS settings. Will there be a switch to version 5?
Or a choice to use version 5 instead?
 
Heinrich said:
It appears Obsidian only uses version 4 of Mozillas implementations of TLS settings. Will there be a switch to version 5? Or a choice to use version 5 instead?
Click to expand...
It doesn't really matter what ciphers or protocols are specified by default in Obsidian, because you can change the settings in all the ssl.conf files for apache, dovecot, nginx, postfix, proftpd, sw-cp-server etc etc yourself, to suit the specification and level that you want. Where and how you change these settings is relevent if you want to avoid them being overwritten by Obsidian duirng a future upgrade though. You can edit all the ssl.conf files yourself, or, you can apply serverwide settings (read THIS Plesk page. Just add TLSv1.3 to those settings if you need that too) or, you can choose from different Mozilla options within the Plesk SSL It! Extention. It's best if you take a server admin approach before you start though, to ensure one option doesn't conflict with another and, that you're aware of how to monitor and maintain your setting selections afterwards.
 
But aren't those files overwritten occasionally, when updates and such happen?

Also, can I use PLESK SLL it! together with the Let'sEncrypt extension ?
 
Heinrich said:
But aren't those files overwritten occasionally, when updates and such happen?
Click to expand...
If you don't take a sys admin approach before you start, then yes, that's possible. Otherwise, no it's avoidable
Heinrich said:
Also, can I use PLESK SLL it! together with the Let'sEncrypt extension ?
Click to expand...
Why not? We do, but see the previous comment... You're asking that question probably because you still need to do more detailed research before you finally decide what policy you will put into place on your own server. Measure three times / Cut once < as all great joiners say!
 
What does "sys admin approach" mean, exactly.

I usually try to find my way through tutorials, and try to check server settings with ssllabs-test service.

Adding server rules to the apache/nginx settings per domain didn't always yield results.
And therefore I wonder if there is a central place to make adjustments to TLS handshake policies.

Like enabling cache, session resumption, 0-rtt and stuff like that, and let PLESK manage to apply those to the configs of the various services, if applicable.
 
Heinrich said:
What does "sys admin approach" mean, exactly
Click to expand...
It's just a phrase used in replies above. Meaning... that if you operate with server administrator levels of experience, knowledge, processing and planning, then what you want to do will be much easier than best guessing ;) An example? Tutorials are handy yes, but aren't always real life and ssllabs-test service is just one of many different testing sites than can be used...
 
You must log in or register to reply here.

Similar threads

A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
692
Alban Staehli
A
Heinrich
Resolved node.js configuration in PLESK Obsidian 18.0.67 Update Nr. 3
Replies
3
Views
377
alvarezcruz
alvarezcruz
J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
1K
Yaroslav_T
Yaroslav_T
Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
Back
Top