Upstream has indicated via http://mailman.nginx.org/pipermail/nginx- devel/2019-July/012430.html that to their knowledge, with TLS1.3 enabled, there is no other 'TLS 1.3' behavior not handled by OpenSSL that is otherwise introduced by default.
Note that in NGINX Upstream, and down here in Ubuntu, the default nginx.conf file that's going to be available by this SRU doesn't actually *enable* TLS 1.3 by default - that will be the largest difference. TLS 1.3 will be enabled only if enabled by the administrator, at which point all TLS1.3 risk and compatibility assumptions are accepted by the sysadmin who actually enables it. ** Description changed: [Impact] Upstream NGINX notified me that for proper TLS1.3 controls in NGINX it needs rebuilt against OpenSSL 1.1.1 that is how in Bionic. [Test Case] PREREQUISITES: - (1) Install `curl` and `ssl-cert` if not already installed. - (2) Replace the contents of /etc/nginx/sites-available/default with the contents of the attached `test-config-ssl.conf` file attached on this bug. + (1) Install `ssl-cert` if not already installed. + (2) Install latest OpenSSL from bionic-updates. This includes libssl, etc. - (3) Install the current NGINX version. - (4) + Current Version (TLS1.3 "Used By Default" due to OpenSSL configs globally) + (2) Install the current NGINX version. + (3) Replace the contents of /etc/nginx/sites-available/default with the contents of the attached `test-config-ssl.conf` file attached on this bug. + (4) From the NGINX server itself, RUN: openssl s_client -tls1_3 -connect localhost:443 + + You should see output indicating TLS1.3 is available by default. + + (5) Also run: openssl s_client -tls1_2 -connect localhost:443 + + It should still establish a new TLS1.2 connection. + + + New Version (TLS1.3 Available at Build Time, default Disabled by nginx configs in the package): + + (5) Install the nginx version from Proposed + (6) Replace the contents of /etc/nginx/sites-available/default with the contents of the attached `test-config-ssl.conf` file attached on this bug. (7) From the NGINX server itself, RUN: openssl s_client -tls1_3 -connect localhost:443 + + This should fail to connect as expected (default nginx.conf doesn't + enable TLS1.3) + + (8) Run: openssl s_client -tls1_2 -connect localhost:443 + + This should still work. + [Regression Potential] Moderate but all would be due to OpenSSL versions which we can’t revert to. This is a no-change rebuild, any regressions in this would be directly due to OpenSSL. [Other Info] This is based on info obtained from https://trac.nginx.org/nginx/ticket/1654 Upstream has indicated that a rebuild against 1.1.1 shouldn't introduce any other 'oddness' that isn't already a problem due to the OpenSSL SRU independently of the NGINX rebuild. TLS1.2 and such should still function as intended, TLS1.3 will be disabled by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836366 Title: [SRU] No Changes Rebuild in Bionic for OpenSSL compat reasons To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1836366/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
