Resolved Server negotiated HTTP/2 with blacklisted suite

FAPM · Mar 7, 2017

Hi,

Do you have a solution to correct this :
Plesk Onyx 17.0.17 Mise à jour n° 18
‪CentOS Linux 7.3.1611 (Core)

Code:

Android 2.3.7   No SNI 2        RSA 4096 (SHA256)       TLS 1.0     TLS_RSA_WITH_AES_128_CBC_SHA  No FS
Android 4.0.4     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.1.1     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.2.2     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.3     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.4.2     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Android 5.0.0     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 6.0     RSA 4096 (SHA256)       TLS 1.2 > http/1.1       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 7.0     RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Baidu Jan 2015     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
BingPreview Jan 2015     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Chrome 49 / XP SP3     Server negotiated HTTP/2 with blacklisted suite
RSA 4096 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Chrome 51 / Win 7  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Firefox 47 / Win 7  R        Server negotiated HTTP/2 with blacklisted suite
RSA 4096 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Firefox 49 / XP SP3     RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Firefox 49 / Win 7  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Googlebot Feb 2015     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
IE 6 / XP   No FS 1      No SNI 2        Server closed connection
IE 7 / Vista     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
IE 8 / XP   No FS 1      No SNI 2        Server sent fatal alert: handshake_failure
IE 8-10 / Win 7  R        RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 7  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 8.1  R        RSA 4096 (SHA256)       TLS 1.2 > http/1.1       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 10 / Win Phone 8.0     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R        RSA 4096 (SHA256)       TLS 1.2 > http/1.1       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R        RSA 4096 (SHA256)       TLS 1.2 > http/1.1       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 10  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 13 / Win 10  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 13 / Win Phone 10  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Java 6u45   No SNI 2        RSA 4096 (SHA256)       TLS 1.0     TLS_RSA_WITH_AES_128_CBC_SHA  No FS
Java 7u25     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Java 8u31     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 0.9.8y     RSA 4096 (SHA256)       TLS 1.0     TLS_RSA_WITH_AES_256_CBC_SHA  No FS
OpenSSL 1.0.1l  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.0.2e  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 5.1.9 / OS X 10.6.8     RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 6.0.4 / OS X 10.8.4  R        RSA 4096 (SHA256)       TLS 1.0     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R        RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 9 / iOS 9  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 10 / iOS 10  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  R        RSA 4096 (SHA256)       TLS 1.2 > h2       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Yahoo Slurp Jan 2015     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
YandexBot Jan 2015     RSA 4096 (SHA256)       TLS 1.2     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS

Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
RSA 4096 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1

Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite
RSA 4096 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1

IE 6 / XP No FS 1 No SNI 2 Server closed connection

IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure

Thanks ALL

UFHH01 · Mar 7, 2017

Hi FAPM,

I assume, that you desire to change the "ciphers" - lists - usage on your server, so pls. consider to read for example:

Tune Plesk to Meet PCI DSS on Linux ( Plesk Onyx documentation - Advanced Administration Guide, Plesk for Linux )

You are able to change the current ciphers - lists for your depending services and you might be interested in using the "Mozilla SSL Configuration Generator" at => https://mozilla.github.io/server-side-tls/ssl-config-generator/ , to generate desired ciphers - lists.

Resolved Server negotiated HTTP/2 with blacklisted suite

FAPM

Basic Pleskian

UFHH01

Guest

Similar threads