Articles in this section

See more

How to enable or disable TLS protocol versions or SSL ciphers via CLI in Plesk for Linux?

Avatar
Julian Bonpland Mignaquy
Updated
kb: how-to Plesk for Linux FR:PPM-2775

Applicable to:

  • Plesk for Linux

Question

  • How to enable or disable TLS protocol versions in Plesk for Linux via CLI?
  • Can I enable or disable certain TLS protocols only for some Plesk services?
  • How to enable or disable SSL ciphers on Plesk for Linux?

Answer

  1. Connect to a Plesk server via SSH.

  2. First, check the currently used TLS versions on your server by executing the following command:

    # plesk sbin sslmng --show-config


    The example output of this command would be the following:

    root@server:~# plesk sbin sslmng --show-config
    {
    "full": {
    "all": {
    "protocols": [
    "TLSv1.1",
    "TLSv1.2",
    "TLSv1.3"
    ],
    "ciphers": "EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH",
    "cipher_server_order": true,
    "strong_dh": true,
    "dhparams_size": 2048
    },
    ...

    Note: You can save the output to a text file, just in case you need to revert to that configuration later on

  3. Afterwards, if the need is to have only TLSv1.2 TLSv1.3 enabled server-wide for all services, run the following command (it will disable all other TLS protocols):

    # plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'

    To enable particular ciphers, use the -ssl-ciphers option and specify required ciphers. For example:

    # plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'

    To change protocols for a specific service, use the following command:

    # plesk sbin sslmng --services postfix --protocols 'TLSv1.2 TLSv1.3'

Note: TLS 1.3 support for Apache has been added in Apache 2.4.37 and later versions (currently available on Ubuntu 20, Debian 10Almalinux 8 and their respective later versions). On older operating systems, to implement TLS 1.3 for web, use Apache with nginx as a proxy.

On modern operating systems, such as Almalinux8 and higher, TLS1 and TLS1.1 are disabled by default for security reasons. To enable these protocols, execute the following command:

# update-crypto-policies --set LEGACY

On ALmalinux 9 the above did not work. I had to change SECLEVEL from 2 to 0:

# grep -R SECLEVEL /etc/crypto-policies/back-ends
/etc/crypto-policies/back-ends/openssl.config:@SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
/etc/crypto-policies/back-ends/opensslcnf.config:CipherString = @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

# systemctl restart nginx
# systemctl restart Plesk-php*

Additional Information

How to manage SSL/TLS ciphers and protocols in Plesk for Windows?

Comments

1 comment

Sort by Date Votes
  • Avatar
    Julian Bonpland Mignaquy

    Hi Jon Doe That article has been removed because as of SSL It! 1.15.5, this function is hidden: TLS versions and ciphers management.


     

    0

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles