[Bug 1800214] Re: Enable TLS 1.3 by default in NGINX configs for Cosmic

Mon, 05 Nov 2018 11:21:46 -0800 

Confirmed in testing with a Cosmic container that this enables TLS 1.3
as well as 1.2, 1.1, and 1.0 in the default configuration change.

TESTERS:

(0) Start with the NGINX in main, not in proposed, for this test.
(`sudo apt install nginx-core nginx`)

(1) In /etc/nginx/sites-available/default, uncomment these lines:

        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;

        # include snippets/snakeoil.conf;

(2) Install the `ssl-cert` package which creates local dummy certs that
you can use for testing.

(3) Once installed, restart the NGINX process `sudo systemctl restart
nginx`

(4) Using a browser with TLS 1.3 enabled and available (I used Chrome so
I can see advanced data even on a 16.04 machine, and an OpenSSL binary
as well), open the test nginx site in HTTPS mode.  Accept any warnings
about self-signed certificates, they're not relevant for this test, the
protocols are.  You will see the negotiated protocol being TLS 1.2/

(5) Run the apt-get commands to install from proposed.  (`sudo apt
install -t cosmic-proposed nginx-core nginx`).

(6) Check your /etc/nginx/nginx.conf for the "ssl_protocols" line - it
should look like this now:

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3,
ref: POODLE

(7) Refresh the connection in your browser (purge cache if necessary),
and connect to the NGINX site again.  TLS 1.3 should show as the
negotiated protocol instead of TLS 1.2.

This worked with a pure NGINX installation without any revisions to
nginx.conf, including during the upgrade process.  This should enable
TLS 1.3 by default as a supported protocol for other users who are using
NGINX in Cosmic Proposed.

***Please test if you can to confirm this works or doesn't work for
you.***  If I don't hear back after a while, I'll mark this as
verification-done myself.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1800214

Title:
  Enable TLS 1.3 by default in NGINX configs for Cosmic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1800214/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to