[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Possible regression has been reported to LP: #1865900 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.12 --- apache2 (2.4.29-1ubuntu4.12) bionic; urgency=medium * Add TLSv1.3 support. (LP: #1845263) - debian/patches/tlsv1.3-support.patch: backport upstream 2.4 commit which introduced TLSv1.3 support. -- Marc Deslauriers Tue, 03 Dec 2019 10:55:03 -0500 ** Changed in: apache2 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Tested on various Bionic machines: The following packages will be upgraded: apache2 (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12) apache2-bin (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12) apache2-data (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12) apache2-utils (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12) 4 upgraded, 0 newly installed, 0 to remove and 19 not upgraded. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Hello Simon, or anyone else affected, Accepted apache2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.12 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: apache2 (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
I have uploaded a package for sponsoring by the SRU team. ** Description changed: Since LP: #1797386, openssl with TLS 1.3 support is available on Bionic. This had the nice side effect of enabling TLS 1.3 for various services (nginx, postfix, dovecot, etc) but not apache2. TLS 1.3 support is required to use the "modern compatibility" configuration recommended by Mozilla [1]. Since Bionic is an LTS release and apache2 is popular and in main, it would be nice to have support for TLS 1.3. According to [2], support for TLS 1.3 was added in version 2.4.36 while Bionic ships 2.4.29. Disco ships with 2.4.38 so should be OK. - 1: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility 2: https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&openssl-version=1.1.1 + + [Test Case] + + See comment #3 for a test case, alternatively run the security team QRT + apache2 test here: https://launchpad.net/qa-regression-testing + + [Regression Potential] + + Enabling TLSv1.3 as an SRU will introduce a new protocol in certain + environments. This may be problematic for a small number of users, but + the benefit of having TLSv1.3 enabled greatly outweighs that. + + From an update point of view, the patchset is quite large, but it has + been tested by the QRT script, and in production by users. ** Changed in: apache2 (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Considering comments #6 and #7, lowering importance to wishlist ** Changed in: apache2 (Ubuntu Bionic) Importance: High => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Thanks for testing it! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
@mdeslaur, I've deployed your testing PPA more widely (including prod) and tested various scenarios. I'm happy to report that we found no problem with your backport. Can't wait for an official package :) Thanks again! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
@mdeslaur, thanks for that! It worked well in my albeit basic tests using both HTTP/1.1 and HTTP/2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
I put a first stab at a TLSv1.3 backport for bionic's apache2 in my testing PPA here: https://launchpad.net/~mdeslaur/+archive/ubuntu/testing -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
@Xnox - I did a similar check, not a deep look but maybe 30 minutes of diff parsing. I did come to the same conclusion. My gut feeling was more like "If security wants to get TLSv1.3 into Bionic Apache then we'd be better off considering to make the 2.4.38 of Disco available in Bionic (with all the Pros and Cons that comes with). So yeah, IMHO 'Won't Fix' or 'Consider backport new major version'. In between those two would be the backports pocket, but the support statement for -backports is too weak. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
I've had a deep look into either cherrypicking just the v1.3 support, or backporting all of mod_ssl module, and both things looked hard. The point of openssl 1.1.1 SRU to Bionic was not to enable TLSv1.3 everywhere. But rather to ensure it is long-term supportable. The potential availability of TLSv1.3 was an added cherry on top. I feel like marking this wont-fix for bionic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
** Tags added: bionic-openssl-1.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
While in many projects it is just a rebuild, here it is quite some code. >From changes in 2.4.36: 106 *) SECURITY: CVE-2019-0215 (cve.mitre.org) 107 mod_ssl: Fix access control bypass for per-location/per-dir client 108 certificate verification in TLSv1.3. => commit https://github.com/apache/httpd/commit/84edf5f49db23ced03259812bbf9426685f7d82a 294 *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has 295 behavioural changes compared to v1.2 and earlier; client and 296 configuration changes should be expected. SSLCipherSuite is 297 enhanced for TLSv1.3 ciphers, but applies at vhost level only. 298 [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton] => branch https://github.com/apache/httpd/commits/tlsv1.3-for-2.4.x I'm not sure on this one ... It won't be easy and the fallout might be high. It almost seems safer to consider MREing something >=2.4.36 completely. But all of that is up to the security Teams guidance anyway. Waiting on them to comment. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0215 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Umm, for the above test I forgot then restart apache2 and see if it complains: good: (no message, server starts) bad: Sep 25 08:12:21 b apachectl[16488]: AH00526: Syntax error on line 73 of /etc/apache2/mods-enabled/ssl.conf: Sep 25 08:12:21 b apachectl[16488]: SSLProtocol: Illegal protocol 'TLSv1.3' Sep 25 08:12:21 b apachectl[16488]: Action 'start' failed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
"Testcase" (less than full cert setup): $ apt install apache2 $ a2enmod ssl $ vim /etc/apache2/mods-enabled/ssl.conf: Change protocols to: SSLProtocol all -SSLv3 +TLSv1.2 TLSv1.3 For an SRU we might want more, but that is enough to check if a given apache already has TLSv1.3 With that I confirmed your expectation that >=Disco is already fine in that regard. ** Also affects: apache2 (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: apache2 (Ubuntu Bionic) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Changed in: apache2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: apache2 (Ubuntu) Status: Confirmed => Fix Released ** Changed in: apache2 (Ubuntu Bionic) Status: New => Triaged ** Changed in: apache2 (Ubuntu Bionic) Importance: Undecided => High ** Changed in: apache2 (Ubuntu Disco) Status: New => Fix Released ** Changed in: apache2 (Ubuntu Disco) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Thanks Simon for the report, yes I've seen similar bugs for a few other packages already. In many cases the security Team already has a plan or opinion about it. Therefore I'm assigning the security team to first give us their guidance if: - it should not be enabled, because ? - it will be enabled by them later - it should be enabled, but someone else has to try doing it ** Changed in: apache2 (Ubuntu) Importance: Undecided => Medium ** Changed in: apache2 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845263] Re: [wishlist] Add TLSv1.3 support to apache2 on Bionic
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apache2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845263 Title: [wishlist] Add TLSv1.3 support to apache2 on Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs