How to enable/disable TLS protocol versions in Plesk for Linux

Question

How to enable/disable TLS protocol versions in Plesk for Linux?

Answer

1. Connect to a Plesk server via SSH.

2. Use the plesk bin server_pref utility to manage TLS protocol versions.

   In this example, if the need is to have only TLSv1.2 TLSv1.3 enabled server-wide for all services, run the following command, which will disable all other TLS protocols not listed:

   # plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'

   To enable particular ciphers, use the -ssl-ciphers option and specify required ciphers. For example:

   # plesk bin server_pref -u -ssl-ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'

   To change protocols for a specific service, use the following command:

   # plesk sbin sslmng --services postfix --protocols 'TLSv1.2 TLSv1.3'

Note: TLS 1.3 support for Apache has been added in Apache 2.4.37 and later versions (currently available on Ubuntu 20, Debian 10 and CentOS 8). On other operating systems, to implement TLS 1.3 for web, use Apache with nginx as a proxy.

 

Additional Information

To list security configuration of all services, run the command:

# plesk sbin sslmng --show-config