Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Last revision Both sides next revision | ||
|
litespeed_wiki:plesk:enable_tls_13 [2018/07/02 16:49] qtwrk created |
litespeed_wiki:plesk:enable_tls_13 [2018/08/08 22:48] qtwrk [Disable Weak Cipher Suites (Optional)] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | By default, Plesk configuration enables TLS1.0 , TLS1.1 and TLS1.2. This guide will show you how to enable TLS 1.3. This guide is made and tested on Plesk 17.8 and Centos 7.5, for Debian/Ubuntu Plesk ,configuration files would be located in different location. | + | ====== Enhance Plesk Security by Enabling TLS 1.3 ====== |
| + | You can enhance Plesk's security features by enabling TLS 1.3 and disabling weak cipher suites. | ||
| + | By default, Plesk configuration enables TLS1.0 , TLS1.1 and TLS1.2. This guide will show you how to enable TLS 1.3. | ||
| - | 1. Edit file /etc/httpd/conf.d/ssl.conf. | + | This guide is made and tested on Plesk 17.8 and Centos 7.5. For Debian/Ubuntu Plesk ,configuration files should be located in ''/etc/apache2/mods-available/ssl.conf''. |
| + | {{:litespeed_wiki:plesk:plesktls13-1.png|}} | ||
| - | Find following lines: | + | ===== Enabling TLS1.3 ===== |
| + | Edit the file ''/etc/httpd/conf.d/ssl.conf''. | ||
| + | Find the following line and comment out (you can use # ): | ||
| + | <code><IfModule mod_ssl.c> | ||
| SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 | SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 | ||
| + | SSLCipherSuite HIGH:!aNULL:!MD5 | ||
| + | </IfModule></code> | ||
| - | + | Replace it with: | |
| - | Replace first line to the following: | + | <code><IfModule LiteSpeed> |
| SSLProtocol TLSv1.1 TLSv1.2 TLSv1.3 | SSLProtocol TLSv1.1 TLSv1.2 TLSv1.3 | ||
| + | SSLCipherSuite HIGH:!aNULL:!MD5 | ||
| + | </IfModule></code> | ||
| - | This is enables TLS1.1 , TLS1.2 and TLS1.3 | + | This enables TLS1.1 , TLS1.2 and TLS1.3 |
| + | {{:litespeed_wiki:plesk:plesktls13-2.png|}} | ||
| - | so in case if you want to disable TLS1.1 as well, then make it: | + | If you want to disable TLS1.1 as well, then change the line to: |
| + | <code>SSLProtocol TLSv1.2 TLSv1.3</code> | ||
| - | SSLProtocol TLSv1.2 TLSv1.3 | + | ===== Disable Weak Cipher Suites (Optional) ===== |
| + | {{:litespeed_wiki:plesk:plesktls13-3.jpg|}} | ||
| + | By default, Plesk also comes with some weak cipher suites. If you want to disable them, find the following line: | ||
| + | <code>SSLCipherSuite HIGH:!aNULL:!MD5</code> | ||
| + | And replace it with: | ||
| + | <code>SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code> | ||
| + | {{:litespeed_wiki:plesk:plesktls13-4.png|}} | ||
| + | Be aware, this may cause CPU load. | ||
| - | SSLCipherSuite HIGH:!aNULL:!MD5 | + | Testing is done through [[https://www.ssllabs.com/ssltest/|SSL Lab]]. |
| - | SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | + | |
| - | + | ||
| - | + | ||
| - | Test is done by SSL Lab | + | |