| 2018-10-26 19:28:02 |
Thomas Ward |
bug |
|
|
added bug |
| 2018-10-26 19:30:13 |
Thomas Ward |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-10-26 19:31:49 |
Thomas Ward |
description |
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.
Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available.
Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file.
[Other Info]
It was completely intended prior to release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. |
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.
Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available.
Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file.
[Other Info]
It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. |
|
| 2018-10-26 19:37:00 |
Thomas Ward |
nginx (Ubuntu): status |
New |
Incomplete |
|
| 2018-10-26 19:37:01 |
Thomas Ward |
nginx (Ubuntu): status |
Incomplete |
In Progress |
|
| 2018-10-26 19:40:56 |
Thomas Ward |
description |
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.
Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available.
Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file.
[Other Info]
It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. |
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.
Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available.
Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file.
There is a regression risk for *browsers and clients* accessing things running on NGINX - TLS 1.3 could have some rollout pains and some browsers and endpoint clients might barf as TLS 1.3 becomes a 'thing'. However, this is more or less on those clients to be a failure case, and if we get too many things breaking from this enabling TLS1.3 in addition to TLS 1.2, 1.1, and 1.0, we can just revert this change with the simple revision change indicated above (remove TLS1.3 from the ssl_protocols in nginx.conf)
[Other Info]
It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. |
|
| 2018-11-03 00:31:12 |
Steve Langasek |
description |
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.
Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available.
Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file.
There is a regression risk for *browsers and clients* accessing things running on NGINX - TLS 1.3 could have some rollout pains and some browsers and endpoint clients might barf as TLS 1.3 becomes a 'thing'. However, this is more or less on those clients to be a failure case, and if we get too many things breaking from this enabling TLS1.3 in addition to TLS 1.2, 1.1, and 1.0, we can just revert this change with the simple revision change indicated above (remove TLS1.3 from the ssl_protocols in nginx.conf)
[Other Info]
It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. |
[Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues.
TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL.
Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available.
This would be specifically for Cosmic.
[Regression Potential]
OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible.
There is risk of regression for clients which fail to negotiate a connection when TLS 1.3 is presented. This is a risk we are accepting as a necessary evil of continuing to evolve the security of network services on the Internet.
If nginx-specific protocol negotiation regressions are identified with the use of TLSv1.3 which are not seen with other TLSv1.3-enabled servers in cosmic, these must still be treated with priority as SRU regressions.
[Other Info]
It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included.
It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. |
|
| 2018-11-03 00:31:23 |
Steve Langasek |
nginx (Ubuntu Cosmic): status |
New |
Fix Committed |
|
| 2018-11-03 00:31:25 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2018-11-03 00:31:29 |
Steve Langasek |
tags |
cosmic |
cosmic verification-needed verification-needed-cosmic |
|
| 2018-11-03 21:30:21 |
Mathew Hodson |
nginx (Ubuntu Cosmic): importance |
Undecided |
Wishlist |
|
| 2018-11-06 19:35:09 |
Thomas Ward |
tags |
cosmic verification-needed verification-needed-cosmic |
cosmic verification-done verification-done-cosmic |
|
| 2018-11-06 19:36:12 |
Thomas Ward |
nominated for series |
|
Ubuntu Disco |
|
| 2018-11-06 19:36:12 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu Disco) |
|
| 2018-11-06 19:36:34 |
Thomas Ward |
nginx (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
| 2018-11-07 16:08:35 |
Thomas Ward |
nginx (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
| 2018-11-08 21:59:19 |
Launchpad Janitor |
nginx (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
