[wishlist] Add TLSv1.3 support to apache2 on Bionic

Bug #1845263 reported by Simon Déziel on 2019-09-24
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Medium
Unassigned
Bionic
Wishlist
Ubuntu Security Team
Disco
Medium
Unassigned

Bug Description

Since LP: #1797386, openssl with TLS 1.3 support is available on Bionic. This had the nice side effect of enabling TLS 1.3 for various services (nginx, postfix, dovecot, etc) but not apache2.

TLS 1.3 support is required to use the "modern compatibility" configuration recommended by Mozilla [1]. Since Bionic is an LTS release and apache2 is popular and in main, it would be nice to have support for TLS 1.3.

According to [2], support for TLS 1.3 was added in version 2.4.36 while Bionic ships 2.4.29. Disco ships with 2.4.38 so should be OK.

1: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
2: https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&openssl-version=1.1.1

[Test Case]

See comment #3 for a test case, alternatively run the security team QRT apache2 test here: https://launchpad.net/qa-regression-testing

[Regression Potential]

Enabling TLSv1.3 as an SRU will introduce a new protocol in certain environments. This may be problematic for a small number of users, but the benefit of having TLSv1.3 enabled greatly outweighs that.

From an update point of view, the patchset is quite large, but it has been tested by the QRT script, and in production by users.

CVE References

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
tags: added: server-next

Thanks Simon for the report, yes I've seen similar bugs for a few other packages already.
In many cases the security Team already has a plan or opinion about it.
Therefore I'm assigning the security team to first give us their guidance if:
- it should not be enabled, because ?
- it will be enabled by them later
- it should be enabled, but someone else has to try doing it

Changed in apache2 (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Ubuntu Security Team (ubuntu-security)

"Testcase" (less than full cert setup):
$ apt install apache2
$ a2enmod ssl
$ vim /etc/apache2/mods-enabled/ssl.conf:
Change protocols to:
  SSLProtocol all -SSLv3 +TLSv1.2 TLSv1.3
For an SRU we might want more, but that is enough to check if a given apache already has TLSv1.3

With that I confirmed your expectation that >=Disco is already fine in that regard.

Changed in apache2 (Ubuntu Bionic):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in apache2 (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → High
Changed in apache2 (Ubuntu Disco):
status: New → Fix Released
importance: Undecided → Medium

Umm, for the above test I forgot then restart apache2 and see if it complains:

good: (no message, server starts)

bad:
Sep 25 08:12:21 b apachectl[16488]: AH00526: Syntax error on line 73 of /etc/apache2/mods-enabled/ssl.conf:
Sep 25 08:12:21 b apachectl[16488]: SSLProtocol: Illegal protocol 'TLSv1.3'
Sep 25 08:12:21 b apachectl[16488]: Action 'start' failed.

While in many projects it is just a rebuild, here it is quite some code.

From changes in 2.4.36:
 106 *) SECURITY: CVE-2019-0215 (cve.mitre.org)
 107 mod_ssl: Fix access control bypass for per-location/per-dir client
 108 certificate verification in TLSv1.3.
=> commit https://github.com/apache/httpd/commit/84edf5f49db23ced03259812bbf9426685f7d82a

 294 *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
 295 behavioural changes compared to v1.2 and earlier; client and
 296 configuration changes should be expected. SSLCipherSuite is
 297 enhanced for TLSv1.3 ciphers, but applies at vhost level only.
 298 [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
=> branch https://github.com/apache/httpd/commits/tlsv1.3-for-2.4.x

I'm not sure on this one ...
It won't be easy and the fallout might be high.
It almost seems safer to consider MREing something >=2.4.36 completely.

But all of that is up to the security Teams guidance anyway.
Waiting on them to comment.

tags: added: bionic-openssl-1.1
Dimitri John Ledkov (xnox) wrote :

I've had a deep look into either cherrypicking just the v1.3 support, or backporting all of mod_ssl module, and both things looked hard.

The point of openssl 1.1.1 SRU to Bionic was not to enable TLSv1.3 everywhere. But rather to ensure it is long-term supportable. The potential availability of TLSv1.3 was an added cherry on top.

I feel like marking this wont-fix for bionic.

@Xnox - I did a similar check, not a deep look but maybe 30 minutes of diff parsing.
I did come to the same conclusion. My gut feeling was more like "If security wants to get TLSv1.3 into Bionic Apache then we'd be better off considering to make the 2.4.38 of Disco available in Bionic (with all the Pros and Cons that comes with).

So yeah, IMHO 'Won't Fix' or 'Consider backport new major version'. In between those two would be the backports pocket, but the support statement for -backports is too weak.

Marc Deslauriers (mdeslaur) wrote :

I put a first stab at a TLSv1.3 backport for bionic's apache2 in my testing PPA here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Simon Déziel (sdeziel) wrote :

@mdeslaur, thanks for that! It worked well in my albeit basic tests using both HTTP/1.1 and HTTP/2

Simon Déziel (sdeziel) wrote :

@mdeslaur, I've deployed your testing PPA more widely (including prod) and tested various scenarios. I'm happy to report that we found no problem with your backport. Can't wait for an official package :)

Thanks again!

Marc Deslauriers (mdeslaur) wrote :

Thanks for testing it!

Andreas Hasenack (ahasenack) wrote :

Considering comments #6 and #7, lowering importance to wishlist

Changed in apache2 (Ubuntu Bionic):
importance: High → Wishlist
Marc Deslauriers (mdeslaur) wrote :

I have uploaded a package for sponsoring by the SRU team.

description: updated
Changed in apache2 (Ubuntu Bionic):
status: Triaged → In Progress

Hello Simon, or anyone else affected,

Accepted apache2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apache2 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic

All autopkgtests for the newly accepted apache2 (2.4.29-1ubuntu4.12) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

usemod-wiki/unknown (armhf)
gvfs/1.36.1-0ubuntu1.3.3 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#apache2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Simon Déziel (sdeziel) wrote :

Tested on various Bionic machines:

The following packages will be upgraded:
   apache2 (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
   apache2-bin (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
   apache2-data (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
   apache2-utils (2.4.29-1ubuntu4.11 => 2.4.29-1ubuntu4.12)
4 upgraded, 0 newly installed, 0 to remove and 19 not upgraded.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.12

---------------
apache2 (2.4.29-1ubuntu4.12) bionic; urgency=medium

  * Add TLSv1.3 support. (LP: #1845263)
    - debian/patches/tlsv1.3-support.patch: backport upstream 2.4 commit
      which introduced TLSv1.3 support.

 -- Marc Deslauriers <email address hidden> Tue, 03 Dec 2019 10:55:03 -0500

Changed in apache2 (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for apache2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Bryce Harrington (bryce) wrote :

Possible regression has been reported to LP: #1865900

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers