[wishlist] Add TLSv1.3 support to apache2 on Bionic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Wishlist
|
Ubuntu Security Team | ||
Disco |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Since LP: #1797386, openssl with TLS 1.3 support is available on Bionic. This had the nice side effect of enabling TLS 1.3 for various services (nginx, postfix, dovecot, etc) but not apache2.
TLS 1.3 support is required to use the "modern compatibility" configuration recommended by Mozilla [1]. Since Bionic is an LTS release and apache2 is popular and in main, it would be nice to have support for TLS 1.3.
According to [2], support for TLS 1.3 was added in version 2.4.36 while Bionic ships 2.4.29. Disco ships with 2.4.38 so should be OK.
1: https:/
2: https:/
[Test Case]
See comment #3 for a test case, alternatively run the security team QRT apache2 test here: https:/
[Regression Potential]
Enabling TLSv1.3 as an SRU will introduce a new protocol in certain environments. This may be problematic for a small number of users, but the benefit of having TLSv1.3 enabled greatly outweighs that.
From an update point of view, the patchset is quite large, but it has been tested by the QRT script, and in production by users.
Status changed to 'Confirmed' because the bug affects multiple users.