Applicable to:
- Plesk for Linux
Question
- How to enable or disable TLS protocol versions in Plesk for Linux via CLI?
- Can I enable or disable certain TLS protocols only for some Plesk services?
- How to enable or disable SSL ciphers on Plesk for Linux?
Answer
-
Connect to a Plesk server via SSH.
- First, check the currently used TLS versions on your server by executing the following command:
# plesk sbin sslmng --show-config
The example output of this command would be the following:
root@server:~# plesk sbin sslmng --show-config
{
"full": {
"all": {
"protocols": [
"TLSv1.1",
"TLSv1.2",
"TLSv1.3"
],
"ciphers": "EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH",
"cipher_server_order": true,
"strong_dh": true,
"dhparams_size": 2048
},
...Note: You can save the output to a text file, just in case you need to revert to that configuration later on
- Afterwards, if the need is to have only TLSv1.2 TLSv1.3 enabled server-wide for all services, run the following command (it will disable all other TLS protocols):
# plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
To enable particular ciphers, use the
-ssl-ciphers
option and specify required ciphers. For example:# plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
To change protocols for a specific service, use the following command:
# plesk sbin sslmng --services postfix --protocols 'TLSv1.2 TLSv1.3'
Note: TLS 1.3 support for Apache has been added in Apache 2.4.37 and later versions (currently available on Ubuntu 20, Debian 10, Almalinux 8 and their respective later versions). On older operating systems, to implement TLS 1.3 for web, use Apache with nginx as a proxy.
# update-crypto-policies --set LEGACY
Additional Information
How to manage SSL/TLS ciphers and protocols in Plesk for Windows?
How to enable secure TLS versions and ciphers in Plesk for Linux?
Comments
0 comments
Please sign in to leave a comment.