Ubuntu
nginx package

Cannot configure openssl 1.3 ciphersuits in nginx on ubuntu 22.04

Bug #2007744 reported by DEXTER
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Expired
Wishlist
Unassigned

Bug Description

Nginx's version is too old in Ubuntu 22.04 and cannot configure TLSv1.3 ciphersuites.
The way it has to be configured is through the config called: "ssl_conf_command" - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_conf_command

which is only available in nginx version 1.19.4.

Ubuntu 22.04 has nginx version 1.18.0.

Nginx must be upgraded to at least version 1.19.4 to be able to adjust TLSv1.3 ciphersuites.

Bryce Harrington (bryce)
tags: added: server-triage-discuss
tags: added: server-team-discuss
removed: server-triage-discuss
tags: added: server-triage-discuss
removed: server-team-discuss
Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Dexter,

Ubuntu by policy keeps LTS releases stable, which means only bugfixes, not new upstream releases, are deployed to users. There are some exceptions made for certain packages, but nginx is not in that list (at least not yet). (I will talk to my team on the off chance if an exception is worth pursuing for nginx, but even best case the timeframe for getting such an exception analyzed and approved can be months or years.)

I would recommend you resolve the issue you've run into by uploading nginx 1.22.0 from kinetic into a PPA, but retargeted to jammy. Assuming it has built successfully, you can then install this on your systems and access the newer functionality.

Alternatively, if you think this is an important feature for Ubuntu to provide for all users, you could help by identifying the patch(es) needed from the upstream git tree to implement it, which could then be evaluated for jammy-updates. We generally do not cherrypick features for backport to LTS releases, but since TLSv1.3 is pretty important this may be a situation where this could be done. (Be forewarned though that often new features are implemented via numerous commits, so cherrypicking and backporting them can be infeasible or too risky for introducing regressions.)

Changed in nginx (Ubuntu):
status: New → Incomplete
Revision history for this message
DEXTER (mydexterid) wrote :

Although I think this would benefit all users, unfortunately I don't have that much time to figure out the patchset needed.

I probably will go the PPA route then.

Thanks.

Paride Legovini (paride)
Changed in nginx (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Bryce Harrington (bryce) wrote :

Dexter, sounds good. Please feel free to post a link to your PPA here if you think it'd be of benefit for others encountering this problem.

I took a look at the changes added in release 1.19.4:

  https://trac.nginx.org/nginx/changeset?sfp_email=&sfph_mail=&reponame=nginx&new=dc0cc425fa63a80315f6efb68697cadb6626cdf2%40%2F&old=64b97c8166b80578fc68be60944d4e1ba56af87b%40%2F&sfp_email=&sfph_mail=

The patchset introducing the ssl_conf_command directive is this one:

  https://trac.nginx.org/nginx/changeset/7729/nginx/

The way the patch is structured, it doesn't look like it would be terribly complicated to backport. The question would be whether it has dependencies on earlier patches in the 1.19.x branch.

Christian Ehrhardt  (paelzer)
tags: removed: server-triage-discuss
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for nginx (Ubuntu) because there has been no activity for 60 days.]

Changed in nginx (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.