[Resolved] [Question]How to disable TLS1.0 and enable 1.3 on Plesk + LSWS ?

Status
Not open for further replies.

qtwrk

Well-Known Member
#1
[Question]How to disable TLS1.0 and enable 1.3 on Plesk + LSWS ?

Hi guys.

I have Plesk + LSWS , and I saw https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:disable-tls1?s[]=tls this guide

apparently that one was for cpanel so I "adapted" a little bit and added
Code:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
to /etc/httpd/conf/httpd.conf and restarted lsws , but unfortunately seems it doesn't work out that way.

so how can i do it ?

thanks in advance :)
 
Last edited by a moderator:

NiteWave

Administrator
#4
it means apache doesn't recognize tls1.3 --- this will not be a problem when switching to litespeed
you can remove tls1.3 to bypass this error temporarily under apache, see if there is other error messages and try to fix them.
if all are ok then switch to litespeed, see if all ok; then add tls1.3, restart litespeed, see if all is ok as well.
 

qtwrk

Well-Known Member
#5
it means apache doesn't recognize tls1.3 --- this will not be a problem when switching to litespeed
you can remove tls1.3 to bypass this error temporarily under apache, see if there is other error messages and try to fix them.
if all are ok then switch to litespeed, see if all ok; then add tls1.3, restart litespeed, see if all is ok as well.
it seems apache doesn't understand what is "tls 1.3" , if i set it to 1.2 or 1.1 , it works fine.

as far as I see , LSWS is NOT reading conf from apache in this case.

i set it to only use TLS1.1 and on apache , my firefox was connected to it with TLS1.1 , and if I switch to LSWS without editing anything , LSWS just returns to TLS1.2

so I think LSWS is not reading apache conf.
 

NiteWave

Administrator
#6
update:
tested latest lsws 5.2.2 build 5:
lsws does read and parse apache's httpd.conf
regarding
SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
1) it's true : TLSv1.2 and TLSv1.3 is not recognized and completely ignored.
but for TLSv1.3, apache mod_ssl not support it yet.
2) but litespeed actually support TLSv1.3 while apache not yet
to have litespeed support TLSv1.3. just comment or delete SSLProtocal directive.
without SSLProtocal, the default is
support TLSv1.0/1.1/1.2/1.3
not support: ssl v2/3
3) to support tlsv1.2 + 1.3 only ?
SSLProtocol All -TLSv1.0 -TLSv1.1
not tested this myself, but should act as expected based on test 1) and 2)

note: repeat one more time, above tests is based on lsws 5.2.2 build 5, may change in future version/build. for example, TLSv1.3 may be found not secure in some time later ? then TLSv1.3 should not be included as default one.
 
Last edited:

qtwrk

Well-Known Member
#7
update:
tested latest lsws 5.2.2 build 5:
lsws does read and parse apache's httpd.conf
regarding
SSLProtocol -All +TLSv1.1 +TLSv1.2 +TLSv1.3
1) it's true : TLSv1.2 and TLSv1.3 is not recognized and completely ignored.
but for TLSv1.3, apache mod_ssl not support it yet.
2) but litespeed actually support TLSv1.3 while apache not yet
to have litespeed support TLSv1.3. just comment or delete SSLProtocal directive.
without SSLProtocal, the default is
support TLSv1.0/1.1/1.2/1.3
not support: ssl v2/3
3) to support tlsv1.2 + 1.3 only ?
SSLProtocol All -TLSv1.0 -TLSv1.1
not tested this myself, but should act as expected based on test 1) and 2)
much appreciated :)
 
Status
Not open for further replies.
Top