Applicable to:
- Plesk for Linux
Question
- How to enable or disable TLS protocol versions in Plesk for Linux via CLI?
- Can I enable or disable certain TLS protocols only for some Plesk services?
- How to enable or disable SSL ciphers on Plesk for Linux?
Answer
- Connect to a Plesk server via SSH.
-
First, check the currently used TLS versions on your server by executing the following command:
# plesk sbin sslmng --show-config
The example output of this command would be the following:
CONFIG_TEXT: root@server:~# plesk sbin sslmng --show-config
{
"full": {
"all": {
"protocols": [
"TLSv1.1",
"TLSv1.2",
"TLSv1.3"
],
"ciphers": "EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH",
"cipher_server_order": true,
"strong_dh": true,
"dhparams_size": 2048
},
...Note: You can save the output to a text file, just in case you need to revert to that configuration later on
-
Afterwards, if the need is to have only TLSv1.2 TLSv1.3 enabled server-wide for all services, run the following command (it will disable all other TLS protocols):
# plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
To enable particular ciphers, use the
-ssl-ciphersoption and specify required ciphers. For example:# plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
To change protocols for a specific service, use the following command:
# plesk sbin sslmng --services postfix --protocols 'TLSv1.2 TLSv1.3'
Note: TLS 1.3 support for Apache has been added in Apache 2.4.37 and later versions (currently available on Ubuntu 20, Debian 10, Almalinux 8 and their respective later versions). On older operating systems, to implement TLS 1.3 for web, use Apache with nginx as a proxy.
On modern operating systems, such as Almalinux8 and higher, TLS1 and TLS1.1 are disabled by default for security reasons. To enable these protocols, execute the following command:
# update-crypto-policies --set LEGACY
On ALmalinux 9 the above did not work. I had to change SECLEVEL from 2 to 0:
# grep -R SECLEVEL /etc/crypto-policies/back-ends
/etc/crypto-policies/back-ends/openssl.config:@SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
/etc/crypto-policies/back-ends/opensslcnf.config:CipherString = @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
# systemctl restart nginx
# systemctl restart Plesk-php*
Additional Information
How to manage SSL/TLS ciphers and protocols in Plesk for Windows?
Comments
Hi Jon Doe That article has been removed because as of SSL It! 1.15.5, this function is hidden: TLS versions and ciphers management.
Please add a Guide how the same can be achieved via GUI
Hello Liwin Do,
Currently, there is no functionality to manage these settings from GUI.
Please sign in to leave a comment.