Comment 11 for bug 1797386

Hi,

good idea in theory, but I want to add my 2cents: Please coordinate this update with ALL affected packages, like apache2 and nginx.

My reason is:

I just tried the PPA and found that nginx works with TLS 1.3 after that right out of the box.

HOWEVER, there is a problem: openssl 1.1.1 has changed the way the cipher suites are configured - the ones for TLS 1.3 are configured separately, see here:

https://github.com/openssl/openssl/commit/f865b08143b453962ad4afccd69e698d13c60f77

Nginx on the other hand has chosen to not support that new configuration at all, see:

https://trac.nginx.org/nginx/ticket/1529

That means that the predefined order of TLS 1.3 is:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

and cannot be changed - it took me hours to find that out since the Nginx 1.15 documentation does not tell you that the TLS 1.3 ciphers cannot be changed by ssl_ciphers, but are silently ignored.

The default set and order of ciphersuites may suit your needs or not - matter-of-fact it makes my SSLLabs score worse because of the AES128 cipher used. I have tried to apply othe defaults in /etc/ssl/openssl.conf but they do not seem to work for nginx. Neither could I just disable TLS 1.3 in order to restore the old behaviour other than to restore OpenSSL 1.1.0 by using "ppa-purge ppa:ci-train-ppa-service/3473".

King regards,

Uwe