Possible regression has been reported to LP: #1865900
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
[wishlist] Add TLSv1.3 support to apache2 on Bionic
To manage notifications about
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.12
---
apache2 (2.4.29-1ubuntu4.12) bionic; urgency=medium
* Add TLSv1.3 support. (LP: #1845263)
- debian/patches/tlsv1.3-support.patch: backport upstream 2.4 commit
which introduced TLSv1.3 support.
-- Marc
Tested on various Bionic machines:
The following packages will be upgraded:
apache2 (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
apache2-bin (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
apache2-data (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
apache2-utils (2.4.29-1ubuntu4.11 =>
Hello Simon, or anyone else affected,
Accepted apache2 into bionic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.12 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
I have uploaded a package for sponsoring by the SRU team.
** Description changed:
Since LP: #1797386, openssl with TLS 1.3 support is available on Bionic.
This had the nice side effect of enabling TLS 1.3 for various services
(nginx, postfix, dovecot, etc) but not apache2.
TLS 1.3
Considering comments #6 and #7, lowering importance to wishlist
** Changed in: apache2 (Ubuntu Bionic)
Importance: High => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1845263
Considering comments #6 and #7, lowering importance to wishlist
** Changed in: apache2 (Ubuntu Bionic)
Importance: High => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
Thanks for testing it!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
[wishlist] Add TLSv1.3 support to apache2 on Bionic
To manage notifications about this bug go to:
@mdeslaur, I've deployed your testing PPA more widely (including prod)
and tested various scenarios. I'm happy to report that we found no
problem with your backport. Can't wait for an official package :)
Thanks again!
--
You received this bug notification because you are a member of Ubuntu
@mdeslaur, thanks for that! It worked well in my albeit basic tests
using both HTTP/1.1 and HTTP/2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
[wishlist] Add TLSv1.3 support to
I put a first stab at a TLSv1.3 backport for bionic's apache2 in my
testing PPA here:
https://launchpad.net/~mdeslaur/+archive/ubuntu/testing
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
@Xnox - I did a similar check, not a deep look but maybe 30 minutes of diff
parsing.
I did come to the same conclusion. My gut feeling was more like "If security
wants to get TLSv1.3 into Bionic Apache then we'd be better off considering to
make the 2.4.38 of Disco available in Bionic (with all
I've had a deep look into either cherrypicking just the v1.3 support, or
backporting all of mod_ssl module, and both things looked hard.
The point of openssl 1.1.1 SRU to Bionic was not to enable TLSv1.3
everywhere. But rather to ensure it is long-term supportable. The
potential availability of
** Tags added: bionic-openssl-1.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
[wishlist] Add TLSv1.3 support to apache2 on Bionic
To manage notifications about this bug go to:
While in many projects it is just a rebuild, here it is quite some code.
>From changes in 2.4.36:
106 *) SECURITY: CVE-2019-0215 (cve.mitre.org)
107 mod_ssl: Fix access control bypass for per-location/per-dir client
108 certificate
Umm, for the above test I forgot then restart apache2 and see if it
complains:
good: (no message, server starts)
bad:
Sep 25 08:12:21 b apachectl[16488]: AH00526: Syntax error on line 73 of
/etc/apache2/mods-enabled/ssl.conf:
Sep 25 08:12:21 b apachectl[16488]: SSLProtocol: Illegal protocol
"Testcase" (less than full cert setup):
$ apt install apache2
$ a2enmod ssl
$ vim /etc/apache2/mods-enabled/ssl.conf:
Change protocols to:
SSLProtocol all -SSLv3 +TLSv1.2 TLSv1.3
For an SRU we might want more, but that is enough to check if a given apache
already has TLSv1.3
With that I
Thanks Simon for the report, yes I've seen similar bugs for a few other
packages already.
In many cases the security Team already has a plan or opinion about it.
Therefore I'm assigning the security team to first give us their guidance if:
- it should not be enabled, because ?
- it will be
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
[wishlist] Add TLSv1.3 support to apache2 on Bionic
To manage notifications about this bug go to:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apache2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
20 matches
Mail list logo
