• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question TLS1.3 SSL Configuration (ciphers in ssl.conf)

Dukemaster

Dukemaster

Regular Pleskian
Hi,
since a few hours my server provider Ionos updated Ubuntu 18.04.2 LTS with OpenSSL 1.1.1.
OpenSSL 1.1.1 is now running on server
For webhosting I use only Nginx.
Interesting: Plesk panel is already secured with TLS1.3 to my Firefox.

Do you know the proper configuration of ssl.conf to use TLS1.3.?
How to use TLS1.3?

My current configuration of ssl.conf is below

Code: 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_ecdh_curve X25519:secp521r1:secp384r1:prime256v1;
ssl_dhparam /etc/dhparam/dhparam4096.pem;

Help would be nice
Thanks
 
@Dukemaster We're assuming that you're not (yet) using Obsidian on your live server, as it's still very early in the Plesk development curve?

Regardless, this is an easy to understand and follow option for all: Generate Mozilla Security Recommended Web Server Configuration Files Simply alter the variables, to suit your own current setup, test and then apply. It's worth noting this page too: Weak ciphers listed in report that are not impl... | Qualys Community as one or two ciphers may appear as "weak" on Qualys during tests, but still appear okay elsewhere at present. Note FWIW: TLSv1.0 and TLSv1.1 as both are no longer supported now by many, for security concerns, especially with regard to taking online payments etc.
 
You must log in or register to reply here.

Similar threads

A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
733
Alban Staehli
A
Polli
Issue Getting DANE working
2
Replies
33
Views
4K
Polli
Polli
D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
Back
Top