How to enable or disable TLS protocol versions in Plesk for Linux?

Follow

Comments

16 comments

  • Avatar
    Dr. Koontz (Edited )

    It's worth mentioning that disabling TLSv1.0 also disables Plesk Premium Antivirus.

    According to that article:

    Cause

    TLSv1 disabled for sw-cp-server.
    As Plesk Premium Antivirus supports only TLSv1
    the service cannot communicate with Plesk.

    Since disabling TLSv1.0 also disables Plesk Premium Antivirus (a.k.a. Dr.Web), adding a note with a warning about the issue to this article, with a link to the other knowledge base article I linked above, is warranted so others can take it in to consideration before proceeding with disabling TLSv1.0.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Dr. Koonz, thank you for the notice, the article will be reviewed and updated.

    0
    Comment actions Permalink
  • Avatar
    Aristeidis Vlachopanos

    Hello, I am using the above commands in my linux server running

    OS Debian 6.0.10
    Plesk version 12.5.30 Update #24

    and I am getting

    plesk bin server_pref -u -ssl-protocols "TLSv1.1 TLSv1.2"
    Warning: Current locale is unusable. Using 'C' instead.
    [2018-08-21 17:26:21] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/sslmng' '--protocols' 'TLSv1.1 TLSv1.2'] with exit code [1]
    sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.1
    WARNING:Ignoring unsuppored protocol TLSv1.2
    ERROR:No supported protocols supplied
    exit status 1

    how do I resolve this?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Aristeidis,

    Debian 6 has reached EOL and is not supported.

    The recommended approach is to install Plesk Onyx on one of the supported OS versions (https://docs.plesk.com/release-notes/onyx/software-requirements/) and migrate the domains to the new server.

     

     

    0
    Comment actions Permalink
  • Avatar
    Wolfgang Reidlinger (Edited )

    This is my system:

    Product version: Plesk Onyx 17.8.11 Update #35
    Update date: 2018/12/22 17:07
    Build date: 2018/12/12 07:22
    OS version: Ubuntu 18.04
    Revision: a3b2193c4694c7c9adea4d6bcd5882fff19ce9ef
    Architecture: 64-bit
    Wrapper version: 1.2

     

    To enable TLSv1.2 server-wide and activate strong ciphers, I did the following.
    I miss Strict Transport Security (HSTS) and OCSP Stapling, but the features are quite limited. (https://docs.plesk.com/en-US/onyx/cli-linux/using-command-line-utilities/server_pref-interface-and-system-preferences.37785/)

     

    /usr/local/psa/bin/server_pref -u -ssl-protocols 'TLSv1.2'

    /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'

     

    root@admin:~# /usr/local/psa/bin/server_pref -s | grep ssl-*

    ssl-protocols: TLSv1.2
    ssl-ciphers: ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Wolfgang,

    Thank you for sharing your user experience.

    It may be helpful to other Pleskians.

    0
    Comment actions Permalink
  • Avatar
    Bruno SCHOULER

    Hello all

    My server is

    Version Plesk Onyx v17.5.3_build1705170317.16 os_CentOS 6
    OS

    CentOS 6.10 (Final)

    php 5.4.45

     

    I have problems with paypal module on prestashop. It is specified that now paypal needs TLS 1.2

    actually, TLS version is not compatible tell paypal !

    I'm not sure I can do this command in this post

     

    If I refer to this post, the command:  /usr/local/psa/bin/server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'

    is supposed to add  TLS 1.1 and TLS1.2 ??? Is that Right ?

    In this post; comments says gettin,g problems : It's worth mentioning that disabling TLSv1.0 also disables Plesk Premium Antivirus.

    So my question :

    if i launch taht command, do I active both TLS1 and TLS1.2 or do I add TLS b1 and TLS 1.2 ?

    thanks for help

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy (Edited )

    @Bruno

    The command you specified enables both TLSv1.1 and TLSv1.2 and the second one enabled only TLSv1.2:

    plesk bin server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'.

    plesk bin server_pref -u -ssl-protocols 'TLSv1.2'

    0
    Comment actions Permalink
  • Avatar
    Iain (Edited )

    Very helpful post @Wolfgang, but which OS and version of OpenSSL are you running? I note you are listing SHA512 ciphers.

    I am still on CentOS 6.10 but can see a move to CentOS 8 coming if I want to support TLS1.3, however, on my current build with OpenSSL 1.0.1e-fips, the SHA512 ciphers you mention aren't available (full list of OpenSSL 1.0.1e ciphers). I suspect others are in a similar position ... although also note 1.0.1e has issues and should be updated, but that's a topic of a different thread on updating components outside of Plesk PUM (Package Update Manager).

    There's also an interesting difference in definition of high-strength ciphers. My OpenSSL is currently configured for:

    ssl-protocols: TLSv1.2
    ssl-ciphers: HIGH:!aNULL:!MD5

    But a check with SSLLabs gives me only 4 good (not "WEAK") ciphers...

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    and ranks everything else as weak, so clearly different interpretations of 'high strength' ciphers are in use ... although I trust SSLLabs to be a more current view on cipher strength ranking :-)

    Red Hat have a useful article on '4.13. Hardening TLS Configuration' which includes the following advice:

    To obtain a list of cipher suites that satisfy the recommendations outlined in Section 4.13.1, “Choosing Algorithms to Enable”, use a command similar to the following:

    openssl ciphers -v 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES' | column -t

    They note:

    The above command omits all insecure ciphers, gives preference to ephemeral elliptic curve Diffie-Hellman key exchange and ECDSA ciphers, and omits RSA key exchange (thus ensuring perfect forward secrecy). Note that this is a rather strict configuration, and it might be necessary to relax the conditions in real-world scenarios to allow for a compatibility with a broader range of clients.

    So maybe add on:

    TLS-RSA-AES256-GCM-SHA384
    TLS-RSA-AES128-GCM-SHA256

    SSLLabs flag these as 'WEAK' as these are based on RSA with no PFS (Forward Secrecy), but are maybe a reasonable 'backstop' for less capable clients.

    Note also the above command includes ciphers marked as SSLv3, e.g. ECDHE-ECDSA-AES256-SHA, so removing these gets me to a configuration of:

    /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-GCM-SHA256'

    I'd be interested for your views on this as a 'reasonable' configuration ... and still wonder where you are getting your SHA512 ciphers from :-)

    0
    Comment actions Permalink
  • Avatar
    Iain

    Well it seems impossible to edit my last post, I just get a lazy-load spinner endlessly spinning, so the end of the post should read...

    So maybe add on:

    AES256-GCM-SHA384
    AES128-GCM-SHA256

    Which gives a cipher line-up of:

    1. ECDHE-ECDSA-AES256-GCM-SHA384
    2. ECDHE-ECDSA-AES256-SHA384
    3. ECDHE-ECDSA-AES128-GCM-SHA256
    4. ECDHE-ECDSA-AES128-SHA256
    5. ECDHE-RSA-AES256-GCM-SHA384
    6. ECDHE-RSA-AES128-GCM-SHA256
    7. DHE-RSA-AES256-GCM-SHA384
    8. DHE-RSA-AES128-GCM-SHA256
    9. ECDHE-RSA-AES256-SHA384
    10. ECDHE-RSA-AES128-SHA256
    11. DHE-RSA-AES256-SHA256
    12. DHE-RSA-AES128-SHA256
    13. AES256-GCM-SHA384
    14. AES128-GCM-SHA256

    and an update command of:

    /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256'

    Interestingly, even though the openssl ciphers command lists ciphers 1-4 as available on the server and they are configured, SSLLabs doesn't mention them.

    SSLLabs then lists ciphers 5-8 as 'good'/in green, or rather doesn't highlight them as 'weak', and then lists 9-14 as all weak/in amber. You could of course exclude these ciphers depending on coverage you want for less capable user-agents.

    Testing with the DigiCert checker, it gives a different selection of the 14 ciphers listed, so we are clearly into the realms of what the testing tools themselves support! For reference DigiCert does't list:

    • 1-4, similar to SSLLabs
    • 7-9
    • 10-13
    0
    Comment actions Permalink
  • Avatar
    Bob B

    Doesn't the SSLit Plesk extension handle this in an easier way?

    0
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    @Bob B,

    If I got you right, you are talking about TLS versions and ciphers by Mozilla settings:

    Yes, you can change settings here, but they are already predefined:

    Modern includes TLSv1.2 only;
    Intermediate includes TLSv1.2, TLSv1.1, TLSv1;
    Old includes TLSv1.2, TLSv1.1, TLSv1, SSLv3.

    0
    Comment actions Permalink
  • Avatar
    Pigr_46

    Hi, 

    I added via Plesk graphical interface " /usr/local/psa/bin/server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2' " but the problem with my Paypal in Wordpress is not solved.

    I reverie this error in Dashboard:

    WARNING: You may no longer be able to accept PayPal payments after June 2018!
    It looks like your server does not support TLS 1.2. As of June 2018, PayPal is dropping support for TLS 1.1 and your payments may no longer function properly. It is critically important that you upgrade your server to support TLS 1.2 as soon as possible. For more information, contact your web hosting provider and ask them to support TLS 1.2. More information is available in PayPal’s TLS 1.2 and HTTP/1.1 Upgrade Documentation.

    If you have made the necessary changes, and still see this message, you can check again.

    I use: CentOS Linux 7.7.1908 (Core), Plesk Onyx - Version 17.8.11 Update #73

    Thank you

    0
    Comment actions Permalink
  • Avatar
    lenala

    I want a PCI-DSS compliant server with TLS V1.3 and 1.2 only.
    I followed the guide but with some tuning since we run LiteSpeed servers :

    I edited following file : /etc/httpd/conf.d/ssl.conf and added at bottom :

    <IfModule LiteSpeed>

    SSLProtocol TLSv1.2 TLSv1.3
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder off SSLSessionTickets off

    SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

    </IfModule>


    Then I ran plesk sbin pci_compliance_resolver --enable all command

    I believe all listed services were secured :

    • panel - Applying security changes for sw-cp-server (nginx for Plesk).
    • apache - Applying security changes for Apache server.
    • courier - Applying security changes for Courier IMAP.
    • dovecot - Applying security changes for Dovecot.
    • qmail - Applying security changes for qmail.
    • postfix - Applying security changes for Postfix MTA.
    • proftpd - Applying security changes for ProFTPd.

    But I'm not sure what the command does exactly and what file to look at to double check. (For Apache, it doesn't matter, since we don't use it).

    For instance, if I look at /etc/dovecot/conf.d/ file changed date, 10-plesk-security.conf content is :

    ##
    ## Default values for security settings tunable by
    ## pci_compliance_resolver Plesk utility.
    ##

    # PLEASE DON'T EDIT ANYTHING IN THIS FILE! ANY CHANGES WILL BE LOST ON UPGRADE.
    # Disable LOGIN command and all other plaintext authentications unless
    # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
    # matches the local IP (ie. you're connecting from the same computer), the
    # connection is considered secure and plaintext authentication is allowed.
    # See also ssl=required setting.

    disable_plaintext_auth = no
     
    Is that correct ?
     
    Anyhow, I'm happy to see an A+ PCI-DSS compliance on Immuniweb and an A+ on ssllabs for the domain :443

    Only concerns are :
    IMPA & POP3 getting an A- (The certificate doesn't match hostname)
    SMTP SSL / 465 getting a B- (The certificate doesn't match hostname)

    Looking at certificates :
    Root CA  DST Root CA X3 is self signed (expires in 683 days)
    Intermediate CALet's Encrypt Authority X3 (expires in 486 days)
    Server certificate : server.domain.tld (expires in 31 days)
     
    How can I fix that please ?
    0
    Comment actions Permalink
  • Avatar
    Lev Iurev

    @lenala Please check the article https://support.plesk.com/hc/en-us/articles/115001446174-How-to-secure-a-Plesk-mail-server-with-different-SSL-certificates-SNI-support-

    This could be reached on Plesk Obsidian only.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Pigr_46,

    In your case, TLS 1.1 should be disabled.

    Try this one:

    plesk bin server_pref -u -ssl-protocols 'TLSv1.2'

     

    Also, it might be needed to leave only strong ciphers enabled:

    plesk bin server_pref -u -ssl-ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256'

    Setting only modern ciphers may cause issues for visitors using old browsers.

    You may specify other ciphers using plesk bin server_pref utility. Please refer to the section '2.3 Use Secure Cipher Suites' in the following SSLlabs article. 
    https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request