How to enable or disable TLS protocol versions in Plesk for Linux?

Follow

Comments

12 comments

  • Avatar
    Dr. Koontz (Edited )

    It's worth mentioning that disabling TLSv1.0 also disables Plesk Premium Antivirus.

    According to that article:

    Cause

    TLSv1 disabled for sw-cp-server.
    As Plesk Premium Antivirus supports only TLSv1
    the service cannot communicate with Plesk.

    Since disabling TLSv1.0 also disables Plesk Premium Antivirus (a.k.a. Dr.Web), adding a note with a warning about the issue to this article, with a link to the other knowledge base article I linked above, is warranted so others can take it in to consideration before proceeding with disabling TLSv1.0.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Dr. Koonz, thank you for the notice, the article will be reviewed and updated.

    0
    Comment actions Permalink
  • Avatar
    Aristeidis Vlachopanos

    Hello, I am using the above commands in my linux server running

    OS Debian 6.0.10
    Plesk version 12.5.30 Update #24

    and I am getting

    plesk bin server_pref -u -ssl-protocols "TLSv1.1 TLSv1.2"
    Warning: Current locale is unusable. Using 'C' instead.
    [2018-08-21 17:26:21] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/sslmng' '--protocols' 'TLSv1.1 TLSv1.2'] with exit code [1]
    sslmng failed: WARNING:Ignoring unsuppored protocol TLSv1.1
    WARNING:Ignoring unsuppored protocol TLSv1.2
    ERROR:No supported protocols supplied
    exit status 1

    how do I resolve this?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Aristeidis,

    Debian 6 has reached EOL and is not supported.

    The recommended approach is to install Plesk Onyx on one of the supported OS versions (https://docs.plesk.com/release-notes/onyx/software-requirements/) and migrate the domains to the new server.

     

     

    0
    Comment actions Permalink
  • Avatar
    Wolfgang Reidlinger (Edited )

    This is my system:

    Product version: Plesk Onyx 17.8.11 Update #35
    Update date: 2018/12/22 17:07
    Build date: 2018/12/12 07:22
    OS version: Ubuntu 18.04
    Revision: a3b2193c4694c7c9adea4d6bcd5882fff19ce9ef
    Architecture: 64-bit
    Wrapper version: 1.2

     

    To enable TLSv1.2 server-wide and activate strong ciphers, I did the following.
    I miss Strict Transport Security (HSTS) and OCSP Stapling, but the features are quite limited. (https://docs.plesk.com/en-US/onyx/cli-linux/using-command-line-utilities/server_pref-interface-and-system-preferences.37785/)

     

    /usr/local/psa/bin/server_pref -u -ssl-protocols 'TLSv1.2'

    /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'

     

    root@admin:~# /usr/local/psa/bin/server_pref -s | grep ssl-*

    ssl-protocols: TLSv1.2
    ssl-ciphers: ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Wolfgang,

    Thank you for sharing your user experience.

    It may be helpful to other Pleskians.

    0
    Comment actions Permalink
  • Avatar
    Bruno SCHOULER

    Hello all

    My server is

    Version Plesk Onyx v17.5.3_build1705170317.16 os_CentOS 6
    OS

    CentOS 6.10 (Final)

    php 5.4.45

     

    I have problems with paypal module on prestashop. It is specified that now paypal needs TLS 1.2

    actually, TLS version is not compatible tell paypal !

    I'm not sure I can do this command in this post

     

    If I refer to this post, the command:  /usr/local/psa/bin/server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'

    is supposed to add  TLS 1.1 and TLS1.2 ??? Is that Right ?

    In this post; comments says gettin,g problems : It's worth mentioning that disabling TLSv1.0 also disables Plesk Premium Antivirus.

    So my question :

    if i launch taht command, do I active both TLS1 and TLS1.2 or do I add TLS b1 and TLS 1.2 ?

    thanks for help

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy (Edited )

    @Bruno

    The command you specified enables both TLSv1.1 and TLSv1.2 and the second one enabled only TLSv1.2:

    plesk bin server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'.

    plesk bin server_pref -u -ssl-protocols 'TLSv1.2'

    0
    Comment actions Permalink
  • Avatar
    Iain (Edited )

    Very helpful post @Wolfgang, but which OS and version of OpenSSL are you running? I note you are listing SHA512 ciphers.

    I am still on CentOS 6.10 but can see a move to CentOS 8 coming if I want to support TLS1.3, however, on my current build with OpenSSL 1.0.1e-fips, the SHA512 ciphers you mention aren't available (full list of OpenSSL 1.0.1e ciphers). I suspect others are in a similar position ... although also note 1.0.1e has issues and should be updated, but that's a topic of a different thread on updating components outside of Plesk PUM (Package Update Manager).

    There's also an interesting difference in definition of high-strength ciphers. My OpenSSL is currently configured for:

    ssl-protocols: TLSv1.2
    ssl-ciphers: HIGH:!aNULL:!MD5

    But a check with SSLLabs gives me only 4 good (not "WEAK") ciphers...

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    and ranks everything else as weak, so clearly different interpretations of 'high strength' ciphers are in use ... although I trust SSLLabs to be a more current view on cipher strength ranking :-)

    Red Hat have a useful article on '4.13. Hardening TLS Configuration' which includes the following advice:

    To obtain a list of cipher suites that satisfy the recommendations outlined in Section 4.13.1, “Choosing Algorithms to Enable”, use a command similar to the following:

    openssl ciphers -v 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES' | column -t

    They note:

    The above command omits all insecure ciphers, gives preference to ephemeral elliptic curve Diffie-Hellman key exchange and ECDSA ciphers, and omits RSA key exchange (thus ensuring perfect forward secrecy). Note that this is a rather strict configuration, and it might be necessary to relax the conditions in real-world scenarios to allow for a compatibility with a broader range of clients.

    So maybe add on:

    TLS-RSA-AES256-GCM-SHA384
    TLS-RSA-AES128-GCM-SHA256

    SSLLabs flag these as 'WEAK' as these are based on RSA with no PFS (Forward Secrecy), but are maybe a reasonable 'backstop' for less capable clients.

    Note also the above command includes ciphers marked as SSLv3, e.g. ECDHE-ECDSA-AES256-SHA, so removing these gets me to a configuration of:

    /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-GCM-SHA256'

    I'd be interested for your views on this as a 'reasonable' configuration ... and still wonder where you are getting your SHA512 ciphers from :-)

    0
    Comment actions Permalink
  • Avatar
    Iain

    Well it seems impossible to edit my last post, I just get a lazy-load spinner endlessly spinning, so the end of the post should read...

    So maybe add on:

    AES256-GCM-SHA384
    AES128-GCM-SHA256

    Which gives a cipher line-up of:

    1. ECDHE-ECDSA-AES256-GCM-SHA384
    2. ECDHE-ECDSA-AES256-SHA384
    3. ECDHE-ECDSA-AES128-GCM-SHA256
    4. ECDHE-ECDSA-AES128-SHA256
    5. ECDHE-RSA-AES256-GCM-SHA384
    6. ECDHE-RSA-AES128-GCM-SHA256
    7. DHE-RSA-AES256-GCM-SHA384
    8. DHE-RSA-AES128-GCM-SHA256
    9. ECDHE-RSA-AES256-SHA384
    10. ECDHE-RSA-AES128-SHA256
    11. DHE-RSA-AES256-SHA256
    12. DHE-RSA-AES128-SHA256
    13. AES256-GCM-SHA384
    14. AES128-GCM-SHA256

    and an update command of:

    /usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256'

    Interestingly, even though the openssl ciphers command lists ciphers 1-4 as available on the server and they are configured, SSLLabs doesn't mention them.

    SSLLabs then lists ciphers 5-8 as 'good'/in green, or rather doesn't highlight them as 'weak', and then lists 9-14 as all weak/in amber. You could of course exclude these ciphers depending on coverage you want for less capable user-agents.

    Testing with the DigiCert checker, it gives a different selection of the 14 ciphers listed, so we are clearly into the realms of what the testing tools themselves support! For reference DigiCert does't list:

    • 1-4, similar to SSLLabs
    • 7-9
    • 10-13
    0
    Comment actions Permalink
  • Avatar
    Bob B

    Doesn't the SSLit Plesk extension handle this in an easier way?

    0
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    @Bob B,

    If I got you right, you are talking about TLS versions and ciphers by Mozilla settings:

    Yes, you can change settings here, but they are already predefined:

    Modern includes TLSv1.2 only;
    Intermediate includes TLSv1.2, TLSv1.1, TLSv1;
    Old includes TLSv1.2, TLSv1.1, TLSv1, SSLv3.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request