[Resolved] [Question]How to disable TLS1.0 and enable 1.3 on Plesk + LSWS ?

[qtwrk]

[Question]How to disable TLS1.0 and enable 1.3 on Plesk + LSWS ?

Hi guys.

I have Plesk + LSWS , and I saw https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:disable-tls1?s[]=tls this guide

apparently that one was for cpanel so I "adapted" a little bit and added

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3

to /etc/httpd/conf/httpd.conf and restarted lsws , but unfortunately seems it doesn't work out that way.

so how can i do it ?

thanks in advance

 

[NiteWave]

that's apache directives, should apply for Plesk and cPanel.
how about switch to apache ?

 

[qtwrk]

that's apache directives, should apply for Plesk and cPanel.
how about switch to apache ?

I got this error on apache

 

[NiteWave]

it means apache doesn't recognize tls1.3 --- this will not be a problem when switching to litespeed
you can remove tls1.3 to bypass this error temporarily under apache, see if there is other error messages and try to fix them.
if all are ok then switch to litespeed, see if all ok; then add tls1.3, restart litespeed, see if all is ok as well.

 

[qtwrk]

it means apache doesn't recognize tls1.3 --- this will not be a problem when switching to litespeed
you can remove tls1.3 to bypass this error temporarily under apache, see if there is other error messages and try to fix them.
if all are ok then switch to litespeed, see if all ok; then add tls1.3, restart litespeed, see if all is ok as well.

it seems apache doesn't understand what is "tls 1.3" , if i set it to 1.2 or 1.1 , it works fine.

as far as I see , LSWS is NOT reading conf from apache in this case.

i set it to only use TLS1.1 and on apache , my firefox was connected to it with TLS1.1 , and if I switch to LSWS without editing anything , LSWS just returns to TLS1.2

so I think LSWS is not reading apache conf.

 

[NiteWave]

update:
tested latest lsws 5.2.2 build 5:
lsws does read and parse apache's httpd.conf
regarding
SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
1) it's true : TLSv1.2 and TLSv1.3 is not recognized and completely ignored.
but for TLSv1.3, apache mod_ssl not support it yet.
2) but litespeed actually support TLSv1.3 while apache not yet
to have litespeed support TLSv1.3. just comment or delete SSLProtocal directive.
without SSLProtocal, the default is
support TLSv1.0/1.1/1.2/1.3
not support: ssl v2/3
3) to support tlsv1.2 + 1.3 only ?
SSLProtocol All -TLSv1.0 -TLSv1.1
not tested this myself, but should act as expected based on test 1) and 2)

note: repeat one more time, above tests is based on lsws 5.2.2 build 5, may change in future version/build. for example, TLSv1.3 may be found not secure in some time later ? then TLSv1.3 should not be included as default one.

 

[qtwrk]

update:
tested latest lsws 5.2.2 build 5:
lsws does read and parse apache's httpd.conf
regarding
SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
1) it's true : TLSv1.2 and TLSv1.3 is not recognized and completely ignored.
but for TLSv1.3, apache mod_ssl not support it yet.
2) but litespeed actually support TLSv1.3 while apache not yet
to have litespeed support TLSv1.3. just comment or delete SSLProtocal directive.
without SSLProtocal, the default is
support TLSv1.0/1.1/1.2/1.3
not support: ssl v2/3
3) to support tlsv1.2 + 1.3 only ?
SSLProtocol All -TLSv1.0 -TLSv1.1
not tested this myself, but should act as expected based on test 1) and 2)

much appreciated