[wishlist] drop ssl_protocols and ssl_prefer_server_ciphers from nginx.conf

Bug #1883951 reported by Simon Déziel
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Thomas Ward

Bug Description

* Use case

An admin wants to tune ssl_protocols and ssl_prefer_server_ciphers so he/she drops a snippet file in /etc/nginx/conf.d/ like other parameters are usually configured.

* Problem

This doesn't work as those 2 parameters are already set in the global config shipped by the package, thus resulting in conflicts:

# nginx -t
nginx: [emerg] "ssl_prefer_server_ciphers" directive is duplicate in /etc/nginx/conf.d/ssl.conf:4
nginx: configuration file /etc/nginx/nginx.conf test failed

Removing/commenting out ssl_prefer_server_ciphers from /etc/nginx/nginx.conf then causes warning on ssl_protocols like this:

# nginx -t
nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/conf.d/ssl.conf:5
nginx: [warn] duplicate value "TLSv1.3" in /etc/nginx/conf.d/ssl.conf:5
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

This leaves the admin to edit the main nginx.conf shipped by the package which is less than ideal.

* Potential fix

I think the ssl_protocols and ssl_prefer_server_ciphers directives should be dropped from the main nginx.conf.

# ssl_protocols was set initially to drop support for SSLv3 (due to Poodle vulnerability) but the upstream default value baked in no longer have SSLv3 anyway

# ssl_prefer_server_ciphers made sense sometime ago but it not recommended anymore now that we have TLS 1.3. Mozilla's recommendation is to let the client choose the cipher for their modern and intermediate compatibility lists from https://wiki.mozilla.org/Security/Server_Side_TLS

* Steps to reproduce:

1) create a groovy container
lxc launch images:ubuntu/groovy ng1
2) install nginx-light in it
lxc exec ng1 -- apt install nginx-light
3) try to override the 2 params
cat << EOF | lxc exec ng1 -- tee /etc/nginx/conf.d/ssl.conf
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
4) check the configuration
lxc exec ng1 -- nginx -t

Step 4) should return no [emerg] nor [warn] messages if there is no clash. It currently fails due to the ssl_prefer_server_ciphers directive.

Thomas Ward (teward)
Changed in nginx (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
assignee: nobody → Thomas Ward (teward)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.