[wishlist] drop ssl_protocols and ssl_prefer_server_ciphers from nginx.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Ubuntu) |
Triaged
|
Wishlist
|
Thomas Ward |
Bug Description
* Use case
An admin wants to tune ssl_protocols and ssl_prefer_
* Problem
This doesn't work as those 2 parameters are already set in the global config shipped by the package, thus resulting in conflicts:
# nginx -t
nginx: [emerg] "ssl_prefer_
nginx: configuration file /etc/nginx/
Removing/commenting out ssl_prefer_
# nginx -t
nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/
nginx: [warn] duplicate value "TLSv1.3" in /etc/nginx/
nginx: the configuration file /etc/nginx/
nginx: configuration file /etc/nginx/
This leaves the admin to edit the main nginx.conf shipped by the package which is less than ideal.
* Potential fix
I think the ssl_protocols and ssl_prefer_
# ssl_protocols was set initially to drop support for SSLv3 (due to Poodle vulnerability) but the upstream default value baked in no longer have SSLv3 anyway
# ssl_prefer_
* Steps to reproduce:
1) create a groovy container
lxc launch images:
2) install nginx-light in it
lxc exec ng1 -- apt install nginx-light
3) try to override the 2 params
cat << EOF | lxc exec ng1 -- tee /etc/nginx/
ssl_prefer_
ssl_protocols TLSv1.2 TLSv1.3;
EOF
4) check the configuration
lxc exec ng1 -- nginx -t
Step 4) should return no [emerg] nor [warn] messages if there is no clash. It currently fails due to the ssl_prefer_
Changed in nginx (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
assignee: | nobody → Thomas Ward (teward) |
Prefer server ciphers is off in later configs.
A warning does not necessitate a hard error that needs fixing.
Note that in Ubuntu this nginx.conf originates in Debian, so I would like the Debian nginx team's opinions on putting this change in Unstable as well so as not to introduce another delta.