• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue TLS1.2 Weak Cipher Suites SSL Labs

sall10

Basic Pleskian
Hello,

I have activated TLSv1.2 and TLSv1.3 on my Server. I use apache and nginx reverse proxy. I have followed this article to meet pci-dss compliance with Plesk Obisidian Version 18.0.27 on CentOS Linux 7.8.2003 (Core) Tune Plesk to Meet PCI DSS on Linux

Disabling weak SSL/TLS ciphers and protocols for the following Services:

plesk sbin pci_compliance_resolver --enable

- panel
- apache
- dovecot
- postfix
- proftpd

When I now check with SSL Labs, the Ciphers for TLSv1.3 are ok, but for TLSv1.2 are weak, please see screenshots.

I was asuming if running the pci_compliance_resolver for the services , that the Ciphers would be updated from weak to a secure level? Why Weak Ciphers for TLSv1.2 are still present on the server, how can I change this now, for all services ?

As I also use Nginx as Reverse Proxy, do I have to change there also something?

Thx
 

Attachments

  • 1.png
    1.png
    396.7 KB · Views: 32
  • 2.png
    2.png
    110.8 KB · Views: 27
Put the following in your NGINX section and you'll fix your PCI compliance issue and score an A+ on ssllabs:

Code:
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384';

Then add:
Code:
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

You can also pull additional data from Security/Server Side TLS - MozillaWiki and this Mozilla SSL Configuration Generator which generates ciphers based on your server config. However, the above works -- we use it :)
 
@Arashi

I tried yet with the SSLIT Extension to set Modern Cipher Suite, but found the following issues:

To be sure that just TLS1.2 and TLS1.3 Protocol i have done this: /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.3"

Then I measured again with the Mozilla SSLIT Extension on SSLIT disabled!

1Protocols.JPG
2Cipher_Suites.JPG


Then i activated in SSLIT Modern and Enabled & Sync and activated.


3SSL_IT_Modern.JPG


After i measured again with SSLLabs and checked Clear Cache Option there:

Results where as you can see in the screenshot, Protocol TLSv1.3 is disabled, why is this?

Second for Protocol TLSv1.2 are still 2 weak Cipher Suites shown?


4After_Testing_Again_with_SSLLABS.JPG

Thx


Update: Turning off again the Function in SSLIT and recheck, still show, that TLSv1.3 is disabled.! I have to reissue again /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.3" to have both Protocols are enabled !
 
Last edited:
Put the following in your NGINX section and you'll fix your PCI compliance issue and score an A+ on ssllabs:

Code:
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384';

Then add:
Code:
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

You can also pull additional data from Security/Server Side TLS - MozillaWiki and this Mozilla SSL Configuration Generator which generates ciphers based on your server config. However, the above works -- we use it :)


Hello Themew,

thanks for the Code, will try this, as i use Apache and Nginx Reverse Proxy, do i have to add your code just to additional Nginx directives ? :) Thx
 
Hello Themew,

thanks for the Code, will try this, as i use Apache and Nginx Reverse Proxy, do i have to add your code just to additional Nginx directives ? :) Thx

Yes. Add the code to the additional Nginx directives and you should be set. I don't use the SSLit extension so you may want to turn it off to avoid conflict. Our server is also set to use Nginx reverse proxy with Apache.
 
Yes. Add the code to the additional Nginx directives and you should be set. I don't use the SSLit extension so you may want to turn it off to avoid conflict. Our server is also set to use Nginx reverse proxy with Apache.


Thx, if SSLIT is deactivated, what is with the LetsEncrypt Certificates :)?
 
We don't use SSLit. Simply go to the domain you're working on, choose the SSL encryption icon and you can install and activate Lets Encrypt certs from there. You can also go under 'Server Settings' in the admin section and activate/choose to use those certs with the panel, email etc.
 
I have noticed that the default installation of Plesk came with tls v1 and tls v1.1 activated by default. In /etc/nginx/conf.d/ssl.conf, I deleted the text related to those TLS
so, now i have:
ssl_protocols TLSv1.2 TLSv1.3;

I guess that if we turn off ssl_prefer_server_ciphers, it should theoritically speed up the SSL handshake since the SSL cipher choice is performed by the client and not by the web server. So, we should save one round.

ssl_prefer_server_ciphers off;
 
Back
Top