How to enable/disable a particular TLS version in Plesk 12.5 or higher

 

Without having to manipulate the Apache configuration files directly, you can run a command in Plesk, which will do the same thing. This will ensure you can quickly enable, disable TLS 1.0/1.1.

 

  • TLS 1.1/1.0 cannot be disabled if you are running Apache 2.2.23 or lower
  • If the OS is too old, please contact your Account Manager and work out a upgrade for a new system


1. Connect to the Plesk server via SSH as "root":
2. Run this command to enable TLS 1.2 ONLY server wide:

# plesk bin server_pref -u -ssl-protocols 'TLSv1.2'

To disable TLS 1.0 and keep 1.1 and 1.2 for all Plesk web services:

# plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"

If you need to strengthen the SSL ciphers to pass typical PCI DSS setups, you can use the following. This assumes you leave only TLS 1.2 and disable everything else:

First check to see what ciphers are in use:

# grep SSLCipher /etc/httpd/conf.d/ssl.conf

If there is ciphers, then using your favorite editor, comment out the previous configuration and then use the following:

#SSLCipherSuite

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256