Enabling or disabling can be done via the command line.
The following steps will be used to set TLS versions.
- Connect to the server via SSH.
- If you would like to enable TLSv1.1 and TLSv1.2 server-wide. Run the command below.
- # plesk bin server_pref –u –ssl-protocols 'TLSv1.1 TLSv1.2'
- If you would like to enable TLSv1.1 and TLSv1.2 for the web services. Run the command.
- # plesk sbin sslmng –protocols="TLSv1.1 TLSv1.2"
- Next, we would need to review the Apache SSL cipher list. To get further info, we would suggest reviewing the Apache Documentation at this link https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
- # grep SSLCipher /etc/httpd/conf.d/ssl.conf
- In order to leave only TLS 1.2 support, it could be set as follows: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Note: The TLSv1 can only be disabled when running Apache versions that are equal to or higher than 2.2.23. Always check the Apache version before attempting to disable TLSv1.