[regression] 1.14.0-0ubuntu1.4 security update enables TLS1.3 without a choice
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
Ubuntu 18.04
With ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
Tests done using testssl.sh
Expected: TLS1.3 should only be enabled if the config says it should.
1.14.0-0ubuntu1.3 reports
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 not offered
NPN/SPDY http/1.1 (advertised)
ALPN/HTTP2 http/1.1 (offered)
1.14.0-0ubuntu1.4 reports
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY http/1.1 (advertised)
ALPN/HTTP2 http/1.1 (offered)
How to revert, manually install:
wget http://
tags: | added: regression-update |
Whoops, this is fallout from openssl 1.1.1 in bionic not being in -security yet, resulting in this security update having been built with openssl 1.1 only.
The packages need to be rebuilt with openssl 1.1.1.