Users of out-of-date web browsers may receive an error message similar to the following: 


If the web browser (eg Mozilla Firefox or Google Chrome) is too far out of date, it can’t support modern cipher standards and reverts back to an older variant. This backwards compatibility is the default for most NGINX and Plesk based systems. You can check the supported ciphers offered by the server using the Qualys SSL Labs Test.

From running the test, you may see a warning like the following: 

Server negotiated HTTP/2 with blacklisted suite

This is still considered to be secure and Qualys provide an A rating for this configuration, as the only browsers affected are those well out-of-date (for example, Chrome 49 and lower and Firefox 48 and lower). This isn’t a fault of the server and the default behaviour in accordance with RFC 7540:

Note that clients might advertise support of cipher suites that are
on the black list in order to allow for connection to servers that do
not support HTTP/2. This allows servers to select HTTP/1.1 with a
cipher suite that is on the HTTP/2 black list. However, this can
result in HTTP/2 being negotiated with a black-listed cipher suite if
the application protocol and cipher suite are independently selected.

The most effective way to resolve is for the client to update their web browser, as it is a significant security risk to run out-of-date software. If you wish to remove all of the old cipher suites (which will break backwards compatibility), this can be done via the PCI-DSS lockdown within Plesk.

Was this article helpful?

Related Articles