Enable TLS 1.3 by default in NGINX configs for Cosmic

Bug #1800214 reported by Thomas Ward on 2018-10-26
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)

Bug Description

[Reason for SRU]

Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.

TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.

Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.

This would be specifically for Cosmic.

[Regression Potential]

OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.

There is risk of regression for clients which fail to negotiate a connection when TLS 1.3 is presented. This is a risk we are accepting as a necessary evil of continuing to evolve the security of network services on the Internet.

If nginx-specific protocol negotiation regressions are identified with the use of TLSv1.3 which are not seen with other TLSv1.3-enabled servers in cosmic, these must still be treated with priority as SRU regressions.

[Other Info]

It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.

It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3.

Thomas Ward (teward) on 2018-10-26
description: updated
Thomas Ward (teward) on 2018-10-26
Changed in nginx (Ubuntu):
status: New → Incomplete
status: Incomplete → In Progress
description: updated

Hello Thomas, or anyone else affected,

Accepted nginx into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nginx/1.15.5-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Changed in nginx (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Changed in nginx (Ubuntu Cosmic):
importance: Undecided → Wishlist
Thomas Ward (teward) wrote :

Confirmed in testing with a Cosmic container that this enables TLS 1.3 as well as 1.2, 1.1, and 1.0 in the default configuration change.


(0) Start with the NGINX in main, not in proposed, for this test. (`sudo apt install nginx-core nginx`)

(1) In /etc/nginx/sites-available/default, uncomment these lines:

 # listen 443 ssl default_server;
 # listen [::]:443 ssl default_server;

 # include snippets/snakeoil.conf;

(2) Install the `ssl-cert` package which creates local dummy certs that you can use for testing.

(3) Once installed, restart the NGINX process `sudo systemctl restart nginx`

(4) Using a browser with TLS 1.3 enabled and available (I used Chrome so I can see advanced data even on a 16.04 machine, and an OpenSSL binary as well), open the test nginx site in HTTPS mode. Accept any warnings about self-signed certificates, they're not relevant for this test, the protocols are. You will see the negotiated protocol being TLS 1.2/

(5) Run the apt-get commands to install from proposed. (`sudo apt install -t cosmic-proposed nginx-core nginx`).

(6) Check your /etc/nginx/nginx.conf for the "ssl_protocols" line - it should look like this now:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

(7) Refresh the connection in your browser (purge cache if necessary), and connect to the NGINX site again. TLS 1.3 should show as the negotiated protocol instead of TLS 1.2.

This worked with a pure NGINX installation without any revisions to nginx.conf, including during the upgrade process. This should enable TLS 1.3 by default as a supported protocol for other users who are using NGINX in Cosmic Proposed.

***Please test if you can to confirm this works or doesn't work for you.*** If I don't hear back after a while, I'll mark this as verification-done myself.

Andreas Hasenack (ahasenack) wrote :

This is in disco already, right:
nginx (1.15.5-0ubuntu3) disco; urgency=medium

  * No-change rebuild for the perl 5.28 transition.

 -- Adam Conrad <email address hidden> Fri, 02 Nov 2018 19:02:18 -0600

nginx (1.15.5-0ubuntu2) cosmic; urgency=medium

  * d/conf/nginx.conf: Enable TLSv1.3 by default by adding TLSv1.3 to
    the ssl_protocols line. (SRU, LP: #1800214)

 -- Thomas Ward <email address hidden> Fri, 26 Oct 2018 15:25:59 -0400

Can the main task be marked as "fix released"?

Thomas Ward (teward) wrote :

Additional testing was completed by myself and I haven't seen any TLS related regressions (running this on two production sites currently for my business and my personal).

I'm marking this as verification-done.

tags: added: verification-done verification-done-cosmic
removed: verification-needed verification-needed-cosmic
Thomas Ward (teward) wrote :

Looks like Adam Conrad included the SRU within Disco's no change rebuild for perl, marking as Fix Committed for Disco as that hasn't landed out of proposed yet.

Changed in nginx (Ubuntu Disco):
status: In Progress → Fix Committed
Thomas Ward (teward) wrote :

Released by the security team while handing USN-3812-1 and three CVEs into Cosmic. Marking "Fix Released" for Cosmic as this is now in the repositories.

Changed in nginx (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.15.5-0ubuntu3

nginx (1.15.5-0ubuntu3) disco; urgency=medium

  * No-change rebuild for the perl 5.28 transition.

 -- Adam Conrad <email address hidden> Fri, 02 Nov 2018 19:02:18 -0600

Changed in nginx (Ubuntu Disco):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers