Without having to manipulate the Apache configuration files directly, you can run a command in Plesk, which will do the same thing. This will ensure you can quickly enable, disable TLS 1.0/1.1.
- TLS 1.1/1.0 cannot be disabled if you are running Apache 2.2.23 or lower
- If the OS is too old, please contact your Account Manager and work out a upgrade for a new system
1. Connect to the Plesk server via SSH as "root":
2. Run this command to enable TLS 1.2 ONLY server wide:
# plesk bin server_pref -u -ssl-protocols 'TLSv1.2'
To disable TLS 1.0 and keep 1.1 and 1.2 for all Plesk web services:
# plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"
If you need to strengthen the SSL ciphers to pass typical PCI DSS setups, you can use the following. This assumes you leave only TLS 1.2 and disable everything else:
First check to see what ciphers are in use:
# grep SSLCipher /etc/httpd/conf.d/ssl.conf
If there is ciphers, then using your favorite editor, comment out the previous configuration and then use the following:
#SSLCipherSuite
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256