• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question TLS versions and ciphers by Mozilla

mr-wolf

Silver Pleskian
Plesk Guru
I noticed this server-wide setting in Obsidian.

Manually I added:

cat /etc/nginx/conf.d/ssl.conf
Code:
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;

I assume this is its Plesk counterpart.
Is it?

Should I turn it on and then delete /etc/nginx/conf.d/ssl.conf ???
I didn't just test it because I was afraid they would clash.
 
@mr-wolf If it's of any help (you may already know) but you can define via CLI, both SSL Protocols & your own specific Cipher choices as defaults in Plesk (which means they become part of any relevant SSL.conf files incl /etc/nginx/conf.d/ssl.conf). The Plesk Page that gives the details is here: How to enable or disable TLS protocol versions in Plesk for Linux?

We've used this without any issues, although we chose not to support TLSv1.0 or TLSv1.1 so our own choices are different than yours, but they're taken direct from HERE at Mozilla. That page also explains the reason behind the choice of "ssl_prefer_server_ciphers off" as well, which again, you probably know already but others may not, yet :)
 
My choices are relatively old choices as well. ;-)
They became the focus of my attention then and they haven't been for a while
At a later date I will update them. Thanks
 
It appears Obsidian only uses version 4 of Mozillas implementations of TLS settings. Will there be a switch to version 5?
Or a choice to use version 5 instead?
 
It appears Obsidian only uses version 4 of Mozillas implementations of TLS settings. Will there be a switch to version 5? Or a choice to use version 5 instead?
It doesn't really matter what ciphers or protocols are specified by default in Obsidian, because you can change the settings in all the ssl.conf files for apache, dovecot, nginx, postfix, proftpd, sw-cp-server etc etc yourself, to suit the specification and level that you want. Where and how you change these settings is relevent if you want to avoid them being overwritten by Obsidian duirng a future upgrade though. You can edit all the ssl.conf files yourself, or, you can apply serverwide settings (read THIS Plesk page. Just add TLSv1.3 to those settings if you need that too) or, you can choose from different Mozilla options within the Plesk SSL It! Extention. It's best if you take a server admin approach before you start though, to ensure one option doesn't conflict with another and, that you're aware of how to monitor and maintain your setting selections afterwards.
 
But aren't those files overwritten occasionally, when updates and such happen?

Also, can I use PLESK SLL it! together with the Let'sEncrypt extension ?
 
But aren't those files overwritten occasionally, when updates and such happen?
If you don't take a sys admin approach before you start, then yes, that's possible. Otherwise, no it's avoidable
Also, can I use PLESK SLL it! together with the Let'sEncrypt extension ?
Why not? We do, but see the previous comment... You're asking that question probably because you still need to do more detailed research before you finally decide what policy you will put into place on your own server. Measure three times / Cut once < as all great joiners say!
 
What does "sys admin approach" mean, exactly.

I usually try to find my way through tutorials, and try to check server settings with ssllabs-test service.

Adding server rules to the apache/nginx settings per domain didn't always yield results.
And therefore I wonder if there is a central place to make adjustments to TLS handshake policies.

Like enabling cache, session resumption, 0-rtt and stuff like that, and let PLESK manage to apply those to the configs of the various services, if applicable.
 
What does "sys admin approach" mean, exactly
It's just a phrase used in replies above. Meaning... that if you operate with server administrator levels of experience, knowledge, processing and planning, then what you want to do will be much easier than best guessing ;) An example? Tutorials are handy yes, but aren't always real life and ssllabs-test service is just one of many different testing sites than can be used...
 
Back
Top