Question
How to enable/disable TLS protocol versions in Plesk for Linux?
Answer
-
Connect to a Plesk server via SSH.
-
Use the
plesk bin server_pref
utility to manage TLS protocol versions.In this example, if the need is to have only TLSv1.2 TLSv1.3 enabled server-wide for all services, run the following command, which will disable all other TLS protocols not listed:
# plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
To enable particular ciphers, use the
-ssl-ciphers
option and specify required ciphers. For example:# plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
To change protocols for a specific service, use the following command:
# plesk sbin sslmng --services postfix --protocols 'TLSv1.2 TLSv1.3'
Note: TLS 1.3 support for Apache has been added in Apache 2.4.37 and later versions (currently available on Ubuntu 20, Debian 10 and CentOS 8). On other operating systems, to implement TLS 1.3 for web, use Apache with nginx as a proxy.
Additional Information
To list security configuration of all services, run the command:
# plesk sbin sslmng --show-config