Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration

2021-04-23 Thread Chris Hofstaedtler 
* didi.deb...@cknow.org  [210423 21:23]:
> TLSv1.2 was defined in 2008, so I don't think it's to 'wild' to use that
> as a default for security in the default configuration of nginx for Bullseye.

You seem to neglect to mention that SSL/TLS is disabled in the
default configuration. I agree that suggesting better defaults would
be preferable, but this is hardly an nginx-only problem, or would
it make nginx unusable.

Chris

Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration)

2021-04-20 Thread Diederik de Haas 
Control: severity -1 grave
Control: notforwarded -1

I did not get any response to my bug report which I tagged with 'security', so 
I'm upping the severity and believe the Debian documentation justifies it.
https://www.debian.org/Bugs/Developer#severities says:
"Most security bugs should also be set at critical or grave severity."

Feel free to downgrade the severity if you don't agree this is a security or a 
'grave' issue (which should be fixed before Bullseye is released).
But then I'll at least know someone has seen and evaluated the issue.

I've also cleared the 'forwarded' as it is not an upstream issue.
https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7 still contains my 
patch which fixes this issue by removing "TLSv1 TLSv1.1" from the 
"ssl_protocols" setting in debian/conf/nginx.conf

https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 says:
"The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 
or higher before June 30, 2018. In October 2018, Apple, Google, Microsoft, and 
Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020."



signature.asc
Description: This is a digitally signed message part.

Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration

2021-02-13 Thread didi . debian 
Package: nginx-common
Version: 1.18.0-6
Severity: normal
Tags: security, patch
Forwarded: https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7
X-Debbugs-Cc: Debian Security Team 

TLSv1.2 was defined in 2008, so I don't think it's to 'wild' to use that
as a default for security in the default configuration of nginx for Bullseye.
If a user must, (s)he can still enable older TLS versions themselves.
But when upgrading nginx, I got asked to install a less secure version
(ie with TLSv1 and TLSv1.1).

Cheers,
  Diederik

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: armhf (armv7l)

Kernel: Linux 4.9.0-6-rpi2 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nginx-common depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  lsb-base   11.1.0

nginx-common recommends no packages.

Versions of packages nginx-common suggests:
pn  fcgiwrap   
pn  nginx-doc  
ii  ssl-cert   1.1.0

-- Configuration Files:
/etc/nginx/nginx.conf changed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json 
application/javascript text/xml application/xml application/xml+rss 
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


-- debconf information:
  nginx/log-symlinks: