[solved] [Question]How to disable TLS1.0 and enable 1.3 on Plesk + LSWS ?

Discussion in 'General' started by qtwrk, Nov 29, 2017.

  1. qtwrk

    qtwrk Member

    [Question]How to disable TLS1.0 and enable 1.3 on Plesk + LSWS ?

    Hi guys.

    I have Plesk + LSWS , and I saw https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:disable-tls1?s[]=tls this guide

    apparently that one was for cpanel so I "adapted" a little bit and added
    SSLHonorCipherOrder On
    SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
    to /etc/httpd/conf/httpd.conf and restarted lsws , but unfortunately seems it doesn't work out that way.

    so how can i do it ?

    thanks in advance :)
  2. NiteWave

    NiteWave Administrator

    that's apache directives, should apply for Plesk and cPanel.
    how about switch to apache ?
  3. qtwrk

    qtwrk Member

    I got this error on apache

    Attached Files:

    • 1.JPG
      File size:
      40.3 KB
  4. NiteWave

    NiteWave Administrator

    it means apache doesn't recognize tls1.3 --- this will not be a problem when switching to litespeed
    you can remove tls1.3 to bypass this error temporarily under apache, see if there is other error messages and try to fix them.
    if all are ok then switch to litespeed, see if all ok; then add tls1.3, restart litespeed, see if all is ok as well.
  5. qtwrk

    qtwrk Member

    it seems apache doesn't understand what is "tls 1.3" , if i set it to 1.2 or 1.1 , it works fine.

    as far as I see , LSWS is NOT reading conf from apache in this case.

    i set it to only use TLS1.1 and on apache , my firefox was connected to it with TLS1.1 , and if I switch to LSWS without editing anything , LSWS just returns to TLS1.2

    so I think LSWS is not reading apache conf.
  6. NiteWave

    NiteWave Administrator

    tested latest lsws 5.2.2 build 5:
    lsws does read and parse apache's httpd.conf
    SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
    1) it's true : TLSv1.2 and TLSv1.3 is not recognized and completely ignored.
    but for TLSv1.3, apache mod_ssl not support it yet.
    2) but litespeed actually support TLSv1.3 while apache not yet
    to have litespeed support TLSv1.3. just comment or delete SSLProtocal directive.
    without SSLProtocal, the default is
    support TLSv1.0/1.1/1.2/1.3
    not support: ssl v2/3
    3) to support tlsv1.2 + 1.3 only ?
    SSLProtocol All -TLSv1.0 -TLSv1.1
    not tested this myself, but should act as expected based on test 1) and 2)

    note: repeat one more time, above tests is based on lsws 5.2.2 build 5, may change in future version/build. for example, TLSv1.3 may be found not secure in some time later ? then TLSv1.3 should not be included as default one.
    Last edited: Dec 4, 2017
  7. qtwrk

    qtwrk Member

    much appreciated :)

Share This Page