2019-09-24 21:14:32 |
Simon Déziel |
bug |
|
|
added bug |
2019-09-24 21:20:26 |
Launchpad Janitor |
apache2 (Ubuntu): status |
New |
Confirmed |
|
2019-09-24 21:20:51 |
Tom Reynolds |
bug |
|
|
added subscriber Tom Reynolds |
2019-09-25 08:01:25 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
2019-09-25 08:01:32 |
Christian Ehrhardt |
tags |
bionic wishlist |
bionic server-next wishlist |
|
2019-09-25 08:15:12 |
Christian Ehrhardt |
apache2 (Ubuntu): importance |
Undecided |
Medium |
|
2019-09-25 08:15:20 |
Christian Ehrhardt |
apache2 (Ubuntu): assignee |
|
Ubuntu Security Team (ubuntu-security) |
|
2019-09-25 08:15:51 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Disco |
|
2019-09-25 08:15:51 |
Christian Ehrhardt |
bug task added |
|
apache2 (Ubuntu Disco) |
|
2019-09-25 08:15:51 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
2019-09-25 08:15:51 |
Christian Ehrhardt |
bug task added |
|
apache2 (Ubuntu Bionic) |
|
2019-09-25 08:16:03 |
Christian Ehrhardt |
apache2 (Ubuntu Bionic): assignee |
|
Ubuntu Security Team (ubuntu-security) |
|
2019-09-25 08:16:06 |
Christian Ehrhardt |
apache2 (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2019-09-25 08:16:09 |
Christian Ehrhardt |
apache2 (Ubuntu): status |
Confirmed |
Fix Released |
|
2019-09-25 08:16:13 |
Christian Ehrhardt |
apache2 (Ubuntu Bionic): status |
New |
Triaged |
|
2019-09-25 08:16:19 |
Christian Ehrhardt |
apache2 (Ubuntu Bionic): importance |
Undecided |
High |
|
2019-09-25 08:16:21 |
Christian Ehrhardt |
apache2 (Ubuntu Disco): status |
New |
Fix Released |
|
2019-09-25 08:16:24 |
Christian Ehrhardt |
apache2 (Ubuntu Disco): importance |
Undecided |
Medium |
|
2019-09-25 08:16:29 |
Christian Ehrhardt |
bug |
|
|
added subscriber Christian Ehrhardt |
2019-09-25 08:16:40 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Security Team |
2019-09-26 08:56:37 |
Christian Ehrhardt |
cve linked |
|
2019-0215 |
|
2019-09-27 07:03:10 |
Giraffe |
bug |
|
|
added subscriber Giraffe |
2019-10-04 11:20:00 |
Jochem Blok |
bug |
|
|
added subscriber Jochem Blok |
2019-10-09 09:14:30 |
Christian Ehrhardt |
tags |
bionic server-next wishlist |
bionic bionic-openssl-1.1 server-next wishlist |
|
2019-11-26 21:34:37 |
Andreas Hasenack |
apache2 (Ubuntu Bionic): importance |
High |
Wishlist |
|
2020-01-10 14:57:32 |
Marc Deslauriers |
description |
Since LP: #1797386, openssl with TLS 1.3 support is available on Bionic. This had the nice side effect of enabling TLS 1.3 for various services (nginx, postfix, dovecot, etc) but not apache2.
TLS 1.3 support is required to use the "modern compatibility" configuration recommended by Mozilla [1]. Since Bionic is an LTS release and apache2 is popular and in main, it would be nice to have support for TLS 1.3.
According to [2], support for TLS 1.3 was added in version 2.4.36 while Bionic ships 2.4.29. Disco ships with 2.4.38 so should be OK.
1: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
2: https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&openssl-version=1.1.1 |
Since LP: #1797386, openssl with TLS 1.3 support is available on Bionic. This had the nice side effect of enabling TLS 1.3 for various services (nginx, postfix, dovecot, etc) but not apache2.
TLS 1.3 support is required to use the "modern compatibility" configuration recommended by Mozilla [1]. Since Bionic is an LTS release and apache2 is popular and in main, it would be nice to have support for TLS 1.3.
According to [2], support for TLS 1.3 was added in version 2.4.36 while Bionic ships 2.4.29. Disco ships with 2.4.38 so should be OK.
1: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
2: https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&openssl-version=1.1.1
[Test Case]
See comment #3 for a test case, alternatively run the security team QRT apache2 test here: https://launchpad.net/qa-regression-testing
[Regression Potential]
Enabling TLSv1.3 as an SRU will introduce a new protocol in certain environments. This may be problematic for a small number of users, but the benefit of having TLSv1.3 enabled greatly outweighs that.
From an update point of view, the patchset is quite large, but it has been tested by the QRT script, and in production by users. |
|
2020-01-10 14:57:42 |
Marc Deslauriers |
apache2 (Ubuntu Bionic): status |
Triaged |
In Progress |
|
2020-01-10 14:57:53 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-02-07 17:48:25 |
Timo Aaltonen |
apache2 (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2020-02-07 17:48:32 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2020-02-07 17:48:41 |
Timo Aaltonen |
tags |
bionic bionic-openssl-1.1 server-next wishlist |
bionic bionic-openssl-1.1 server-next verification-needed verification-needed-bionic wishlist |
|
2020-02-07 22:06:09 |
Simon Déziel |
tags |
bionic bionic-openssl-1.1 server-next verification-needed verification-needed-bionic wishlist |
bionic bionic-openssl-1.1 server-next verification-done verification-done-bionic wishlist |
|
2020-03-02 13:35:48 |
Launchpad Janitor |
apache2 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-03-02 13:35:53 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-09-15 15:59:47 |
James Gregory-Monk |
bug |
|
|
added subscriber James Gregory-Monk |