How to enable/disable a particular TLS version in Plesk on Linux

 

Enabling or disabling can be done via the command line.

 

The following steps will be used to set TLS versions.

 

  1. Connect to the server via SSH.
  2. If you would like to enable TLSv1.1 and TLSv1.2 server-wide. Run the command below.
    • # plesk bin server_pref –u –ssl-protocols 'TLSv1.1 TLSv1.2'
  3. If you would like to enable TLSv1.1 and TLSv1.2 for the web services. Run the command.
    • # plesk sbin sslmng –protocols="TLSv1.1 TLSv1.2"
  4. Next, we would need to review the Apache SSL cipher list. To get further info, we would suggest reviewing the Apache Documentation at this link https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
    • # grep SSLCipher /etc/httpd/conf.d/ssl.conf
    • In order to leave only TLS 1.2 support, it could be set as follows: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Note: The TLSv1 can only be disabled when running Apache versions that are equal to or higher than 2.2.23. Always check the Apache version before attempting to disable TLSv1.