Question Ubuntu 18.04.2 with OpenSSL 1.1.1 / TLS 1.3

[Dukemaster]

Hi,
last week I made the point 2 upgrade of Ubuntu 18.04 LTS on server with Plesk 17.8.11.
I was excited about the long promised upgrade to OpenSSL 1.1.1 with TLS 1.3 support.
But Ubuntu 18.04 point 2 upgrade didn't change OpenSSL 1.1.0g version at all.
I read several docs from Canonical and other sources.
- Is it correct that we have to do it ourselves?
If so, I have a favor for some tips or a kind of tutorial.
- Or, Plesk is responsible for the implementation?
- Or, I have to compile it myself like two years ago (draft)?

 

[learning_curve]

You were quick off the mark there @Dukemaster The OFFICIAL Ubuntu release date for the 18.04.2 Point Upgrade is just today! (14/2/19).

With hindsight though, this is becoming slightly irrelvent anyway now, as the Plesk Panel (sw-cp-server) is behind schedule with their own release of TLSv1.3 support. Thinking logically, having one without the other (resulting in separate TLSv1.2 and TLSv1.3 areas on your setup) seems utterly pointless (to us) as it just points out the security weakness in your own specific setup for all to see... It seems that we must wait until Plesk finally release their own sw-cp-server upgrade complete with full TLSv1.3 support in order to do this job properly.

Re Your questions;
a) See following additional post
b) You can re-compile everything (including sw-cp-server - if you're feeling brave) yourself, or, upgrade your Ubuntu 18.04.* to 18.10 yourself, but this won't address the sw-cp-server issue, or you can run a great support package like this one: VirtuBox/nginx-ee from @virtubox (which then avoids recompiling everything yourself, but still won't address the sw-cp-server issue) or... you can do nothing now, until long term support for TLSv1.3 is provided via OS and Plesk, which is probably, what most people may well do?

 

[Dukemaster]

Thanks @learning_curve for your interesting impressions and informations.
What you wrote under a) has NOTHING to do what I asked. My question was misunderstood or should have been asked in another more precised way from my side.
The correct answer is "Yes" as we can read in the thread in which Plesk 17.9 is introduced.
If we would decide to install Plesk 17.9 today, we'll immediately get the goal to use TLS 1.3 and OpenSSL 1.1.1 for webhosting.
But it's no opportunity for me since I reinstalled my OS only a few months ago
In general it's a real good idea that TLS 1.3 is also possible for Plesk Panel (sw-cp-server), no doubt, but also not for me.
I agree to all other points you wrote.
I got Ubuntu 18.04.2 end of last week, however, but some others in the world, too. It must have to do with big providers or big business which get updates a lil earlier to merge it with their OS and services. Like Plesk has also big providers which purchase over a thousand of licenses, they make other deals like usually, lol. I wondered about it but read that some people wrote it on Internet.

Lots of greets
.

 

[learning_curve]

Thanks a) has NOTHING to do what I asked. My question was misunderstood or should have been asked in another more precised way from my side. The correct answer is "[B]Yes[/B]" as we can read in [URL='https://talk.plesk.com/threads/plesk-onyx-17-9-preview.348675/page-3#post-859316']the thread in which Plesk 17.9 is introduced[/URL].

Yes a misunderstanding I think?
Have just edited our last post, so that it's hopefully much less confusing. We didn't mention Plesk 17.9 at all because it's still only at preview stage...

 

[learning_curve]

The question a) answer as we see it, is a bit open ended

We haven't run the Ubuntu 18.04.1 > 18.04.2 upgrade at the time of us writing this post, mainly because Plesk, normally release an upgrade or note, saying that these point upgrades etc are officilaly supported by them. So in this area, you're way ahead of us @Dukemaster

However, then there is the question releated to the Ubuntu OpenSSL. In the OP, you posted

Hi, last week I made the point 2 upgrade of Ubuntu 18.04 LTS on server with Plesk 17.8.11. I was excited about the long promised upgrade to OpenSSL 1.1.1 with TLS 1.3 support. But Ubuntu 18.04 point 2 upgrade didn't change OpenSSL 1.1.0g version at all...

Then, later you posted

...If we would decide to install Plesk 17.9 today, we'll immediately get the goal to use TLS 1.3 and OpenSSL 1.1.1 for webhosting

Which is where we may have misunderstood you earlier?

We've already discounted switching to Plesk 17.9 ourselves (see our previous post) but ignore that for a moment and let's say we hadn't. We still don't know or understand how Plesk 17.9 could / would run and provide TLSv1.3 on Ubuntu 18.04.2 ...IF... Ubuntu 18.04.2 is still only running OpenSSL 1.1.0g and not, OpenSSL 1.1.1 <<<< This is what we meant when we said that the Ubuntu OS side is not a Plesk responsibilty. Is that a clearer explanation?

Hopefully it is and that's why we then made various suggestions listing other possible options in answer b)

 

[learning_curve]

Finally, just when we thought it made sense In the 17.9 thread you posted a link for earlier, you posted

...Ubuntu 18.04.2 is supporting OpenSSL 1.1.1 / TLS 1.3 now. Or in other words, it would be also great to implement TLS 1.3 in 17.8.11

This is where it gets confusing again as this ^^ is the opposite to this:

But Ubuntu 18.04 point 2 upgrade didn't change OpenSSL 1.1.0g version at all

You currently are running Ubuntu 18.04.02 and we're not (at the time of making this post...) so you could quickly verify / double check which OpenSSL you do have on your server and post on here, but... regardless, we fully support your request for 17.8.11 to support TLSv1.3, assuming whichever OS people are running is officially supporting OpenSSL 1.1.1

 

[learning_curve]

Update. We've now run the Ubuntu LTS upgrade @Dukemaster so we've caught up with you. Our setup is now as follows:

# lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 18.04.2 LTS
Release:    18.04
Codename:    bionic

# openssl version
OpenSSL 1.1.0g  2 Nov 2017

At this stage, all of our public/webside and the admin/pleskpanel side of our server run TLSv1.2 only, as this specific OS and Plesk Onyx 17.8.11 Update #40 do not provide or support Openssl 1.1.1 and TLSv1.3 - Yet

FWIW If the sw-cp-server was upgraded and released by Plesk, we'd probably... upgrade Ubuntu 18.04.2 to Ubuntu 18.10, stay with Plesk 17.8.11 and run TLSv3 (1st priority) with TLSv2 (2nd priority) across all our server (assuming tha Plesk does/will support Ubuntu 18.10).

You posted that the sw-cp-server update is not as important to you @Dukemaster so what will you do next?

 

[Dukemaster]

Hi @learning_curve, like you wrote it's in a way interesting how Plesk will do it? But much more interesting, why Ubuntu 18.04.2 isn't delivered with OpenSSL 1.1.1?
But as we know from the thread we all loved so much (How to compile nginx...) there are funny ways to realize what we want to use.
Replacing or changing openSSL is a catchable option. Why not.
Thanks for your update. It's like chatting in real-time. I just started to write here. Yes, you know what I mean now. Congrats!
But waiting so long for this point 2 update and nothing changed makes me sad a little.

Additional:

 

[Dukemaster]

You posted that the sw-cp-server update is not as important to you @Dukemaster so what will you do next?

Stay hungry, sleep hungry.
Nothing. Getting more infos who will change at which time the relevant components. perhaps finding a way to update Openssl only for webhosting by myself. PERHAPS...

 

[learning_curve]

Hi .....But waiting so long for this point 2 update and nothing changed makes me sad a little

Yep, pretty disappointing. Especially as all the things we have mentioned have run very well in Ubuntu 18.10 :rolleyes:

 

[ChristophRo]

Well, you could add the PPA of Ondrej Sury (DEB.SURY.ORG), as this will update the OpenSSL library on your Ubuntu to 1.1.1x

root@plesksrv:/etc/nginx# nginx -V
nginx version: nginx/1.14.1
built with OpenSSL 1.1.0j  20 Nov 2018 (running with OpenSSL 1.1.1a  20 Nov 2018)
TLS SNI support enabled
configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/usr/share/nginx/modules --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-ipv6 --with-file-aio --with-http_v2_module --with-compat --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --add-dynamic-module=/usr/share/passenger/ngx_http_passenger_module

If Plesk really starts to support TLS 1.3 with v17.9, I assume they will ship their own openssl library alongside nginx and no longer rely on the one of your operating system.
That would also be the reason, why TLS 1.3 is supported only by nginx and not apache2. (as the apache2 packages do not come from plesk but your OS)

 

[learning_curve]

Well, you could add the PPA of Ondrej Sury (DEB.SURY.ORG), as this will update the OpenSSL library on your Ubuntu to 1.1.1x ~

You could add this to the answer to question b) in Post2 above for those who are looking for options

If Plesk really starts to support TLS 1.3 with v17.9, I assume they will ship their own openssl library alongside nginx and no longer rely on the one of your operating system. That would also be the reason, why TLS 1.3 is supported only by nginx and not apache2. (as the apache2 packages do not come from plesk but your OS)

Well that's one for Plesk to answer, but ignoring Plesk's sw-cp-server (Plesk Panel etc) as yes, they can / will definitely release that themselves, but on the public/webside, both Nginx (since 1.13.*) AND Apache2 (since 2.4.36) DO support OpenSSL 1.1.1 and TLSv1.3, so it might be an unusual move for Plesk to make their own release, as their normal process is to support officlal OS releases, which does make sense - if you're patient

 

[ChristophRo]

no doubt it would be unusual, but when I read:

Added the support for TLSv1.3 (enabled by default) for customers' websites that are served by nginx and accessed by HTTPS

I'd expect that this would then work on all Plesk installations out of the box, and not that i have to wait another year or two till I can upgrade my OS to a version that has OpenSSL 1.1.1 builtin.
(and currently non of the supported OS by Plesk ship with OpenSSL 1.1.1 - at least as far as I know)

 

[Dukemaster]

Hugs to all of you. Here we are. My thoughts n hopes are the same. As we know, Plesk is always good for a suprise by finding a way to satisfy their customers.
It became obvious when I saw that OpenSSL is already possible with Plesk 17.9, if you rebuild the operating system. They already have gone their own way.

 

[learning_curve]

...I'd expect that this would then work on all Plesk installations out of the box...

As much as we agree with this sounding very appealing, the "one product fits all' method hasn't worked for most suppliers previously because there are lots of variables in all the individual setups Plesk 17.9.* is still only at preview stage. Once officially launched, unless you choose the early adopter option, it will still be quite some time before this was a real, valid useable option (and that's assuming that the no mention of Apache2, doesn't cause issues for people who don't use Nginx)

...not that i have to wait another year or two till I can upgrade my OS to a version that has OpenSSL 1.1.1 builtin (and currently non of the supported OS by Plesk ship with OpenSSL 1.1.1 - at least as far as I know)

Yes that's pretty frustrating, as already mentioned, especially if you're using Ubuntu 18.04 LTS as an OS

Here and now though, we're just speculating. Some of the Plesk end-users on this forum must be using 17.9 (or testing it at least) and their input would be very useful if posted in this thread.

Off topic for a moment, but relevant to releases from Plesk and their ETAs, there's lots of things that are overdue and are in many ways as important as TLSv1.3 and... where nobody is waiting for new OS releases, just waiting for Plesk. This THREAD covers just a couple of them but there are a lot. We'd be happy if these were released in 17.8.11 pretty soon etc as opposed to us chasing potentially great customisation features in 17.9

 

[ChristophRo]

Ok, I need to write a follow-up warning regarding the use of OpenSSL 1.1.1 on a Plesk server.

In the current state of things this will break FTP connections with the latest Filezilla (v 3.40) as there are some bugs in the TLS 1.3 implementation of ProFTPd.
While the ProFTPd service is automatically offering TLS 1.3 connections when OpenSSL 1.1.1 is installed on the server, it seems to be far from completely/correctly implemented, causing random "450 Transfer aborted. Link to file server lost" errors when uploading files to the server.
Unfortunately there is no way to disable the usage of TLS 1.3 for proftpd, nor is it possible to do the same in Filezilla.
So the only "workaround" is to use a different FTP client or an older Filezilla version. (that does not support TLS 1.3 at all)

 

[learning_curve]

Has that ^^ happened on your own server @ChristophRo ?

There's no setup shown on your forum sig, so we've no idea what you're running at present that supports TLSv1.3, but presumably, it's either a 17.9 Plesk preview release or maybe a customised Plesk 17.8.11 release?

Either way, have you tried Filezilla SFTP using TLSv1.3 (within Plesk) instead of FTP yet? THIS and THIS are linked to that last question... Would be very interested to see the results of that / if the same happens etc

 

[ChristophRo]

Yes, happened on our own server

We are running Debian9 with Plesk 17.8.11 and use the deb.sury.org repository - mainly for PHP 5.6 support.
Worked without any problems and we are/were already using TLS 1.3 with nginx for quite some time now.

But last week Filezilla released v3.40 that implemented TLS 1.3 for FTP and now we learned that proFTPd is broken in this regard at the moment.
It's not that it does not work at all, you can easily connect and upload/download files, but get these transfer errors from time to time....so it's most visible/problematic if you transfer whole folder structures with many files.

 

[learning_curve]

...maybe a customised Plesk 17.8.11 release...

...We are running Debian9 with Plesk 17.8.11 and use the deb.sury.org repository...

We made a reasonable guess then but thanks for the useful advance warning for all that maybe affected

...last week Filezilla released v3.40 that implemented TLS 1.3 for FTP...

Yes we're using that very same release now, but only (as mentioned) SFTP not FTP and only TLSv1.2 not TLSv1.3... (Yet) but with no errors

If you get time to try it / or have a chance maybe later to reply, would still love to know the answer to this one:

...have you tried Filezilla SFTP using TLSv1.3 (within Plesk) instead of FTP yet?

Which by default (if FTP is not used / ports blocked etc) means that proFTPd is redundant really (in our case anyway)

 

[ChristophRo]

If you get time to try it / or have a chance maybe later to reply, would still love to know the answer to this one.

SFTP is using SSH as it's transport protocol and the encryption is not based on SSL/TLS - thus it's not using TLS 1.2 or 1.3 and not affected by all of this.