** Changed in: nginx (Ubuntu)
Status: New => Incomplete
** Changed in: nginx (Ubuntu)
Status: Incomplete => In Progress
** Description changed:
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support.
It was intended to enable TLS 1.3 in the default nginx.conf so that TLS
v1.3 support would be "enabled by default" if you enabled SSL, however
it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL
1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL,
it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to
do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the
default config is probably a good idea since we have TLS v1.3 support
available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September.
TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest
and 'more robust' TLS protocol version and should be used where
possible.
Regression potential for the change to enable TLSv1.3 by default for
NGINX in Cosmic would be minimal, as OpenSSL already has this protocol
available.
Should this cause any regressions, reverting is very simple as we just
remove TLSv1.3 from the ssl_protocols line in the nginx.conf file.
+ There is a regression risk for *browsers and clients* accessing things
+ running on NGINX - TLS 1.3 could have some rollout pains and some
+ browsers and endpoint clients might barf as TLS 1.3 becomes a 'thing'.
+ However, this is more or less on those clients to be a failure case, and
+ if we get too many things breaking from this enabling TLS1.3 in addition
+ to TLS 1.2, 1.1, and 1.0, we can just revert this change with the simple
+ revision change indicated above (remove TLS1.3 from the ssl_protocols in
+ nginx.conf)
+
[Other Info]
It was completely intended prior to Cosmic's release that I would enable
TLSv1.3 as a 'default' supported TLS protocol in nginx.conf.
Unfortunately, things got a little bit busy for me and that change was
not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due
to the additional security advantages that come with TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1800214
Title:
Enable TLS 1.3 by default in NGINX configs for Cosmic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1800214/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
