TLS, and its predecessor SSL, are protocols for browsers and web servers (amongst other things) to exchange encrypted data. So if you’re running a web server you’ll be using one or more of these protocols.
Like most internet technology these have evolved over the years, and there are earlier, deprecated versions that you shouldn’t be using unless you have a special reason to do so. It’s not immediately obvious in normal usage which protocol is being used, and if, like us, you use Plesk to manage your webserver you might not have paid any attention to this as there’s no mention of them in the graphic interface.
This is how to make sure your server is up to date and using the most secure versions only.
How to tell which TLS protocol you are using
It’s not obvious from within Plesk, but you can easily find out by using this online test. Do this before you change anything, so if it doesn’t work you can turn it back. Note down which protocols are active on your server at the moment.
Why should you update your TLS?
Obviously it’s a good idea to be using the latest versions, because they are more secure. That’s pretty straightforward. What is less obvious is that you may also need to actively disable the older versions, because if you don’t, a malicious attacker will be able to force your server to use the older, less secure protocols meaning the new secure ones are doing no good.
Will turning off older protocols break anything?
In theory, yes it might. But in practice, no, it’s not very likely. And if it does, you can easily change it back again. All modern browsers use modern TLS protocols, so if all you are doing on your server is serving up websites then you almost certainly will have no problem. If you’ve got some very old software running on your server, or something built specially that has not been updated, it is possible that it uses the older protocols and will stop working. Very old mobile phones (like pre-2012) might also no longer be able to visit your sites. But even if these things happen, nothing will be lost, and if you decide that the security risk is worth it you can just put things back to how they were.
How to disable early versions of TLS on Plesk for Linux
The official Plesk documentation is here and gives more detail in what to do – although it gives an example with an out-of-date TLS version in it, so here’s our suggestion.
First of all if you’re still using Plesk Premium Antivirus you should probably not do this, it might break it. But assuming you’re not, carry on and open a SSH session into your server.
Run the following command to disable all protocols except TLSv1.2 and TLSv1.3, which at the time of writing are the recommended two protocols to use.
plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'
If this works, you will see the following message:
SUCCESS: Server preferences are successfully updated
How to re-enable TLS versions
If you want to change this back for whatever reason, you can run the same command again with a different string of protocols. So for example if you want to enable TLS versions 1.1, 1.2 and 1.3, (not recommended) then use this command:
plesk bin server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2 TLSv1.3'