Ubuntu
nginx package

[SRU] No Changes Rebuild in Bionic for OpenSSL compat reasons

Bug #1836366 reported by Thomas Ward
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Invalid
Undecided
Unassigned
Bionic
Fix Released
Medium
Thomas Ward

Bug Description

[Impact]

Upstream NGINX notified me that for proper TLS1.3 controls in NGINX it needs rebuilt against OpenSSL 1.1.1 that is how in Bionic.

[Test Case]

PREREQUISITES:
(1) Install `ssl-cert` if not already installed.
(2) Install latest OpenSSL from bionic-updates. This includes libssl, etc.

Current Version (TLS1.3 "Used By Default" due to OpenSSL configs globally)
(2) Install the current NGINX version.
(3) Replace the contents of /etc/nginx/sites-available/default with the contents of the attached `test-config-ssl.conf` file attached on this bug.
(4) From the NGINX server itself, RUN: openssl s_client -tls1_3 -connect localhost:443

You should see output indicating TLS1.3 is available by default.

(5) Also run: openssl s_client -tls1_2 -connect localhost:443

It should still establish a new TLS1.2 connection.

New Version (TLS1.3 Available at Build Time, default Disabled by nginx configs in the package):

(5) Install the nginx version from Proposed
(6) Replace the contents of /etc/nginx/sites-available/default with the contents of the attached `test-config-ssl.conf` file attached on this bug. (7) From the NGINX server itself, RUN: openssl s_client -tls1_3 -connect localhost:443

This should fail to connect as expected (default nginx.conf doesn't enable TLS1.3)

(8) Run: openssl s_client -tls1_2 -connect localhost:443

This should still work.

[Regression Potential]

Moderate but all would be due to OpenSSL versions which we can’t revert to. This is a no-change rebuild, any regressions in this would be directly due to OpenSSL.

[Other Info]

This is based on info obtained from https://trac.nginx.org/nginx/ticket/1654

Upstream has indicated that a rebuild against 1.1.1 shouldn't introduce any other 'oddness' that isn't already a problem due to the OpenSSL SRU independently of the NGINX rebuild. TLS1.2 and such should still function as intended, TLS1.3 will be disabled by default.

See original description
Thomas Ward (teward)
Changed in nginx (Ubuntu Bionic):
assignee: nobody → Thomas Ward (teward)
importance: Undecided → Medium
status: New → In Progress
Changed in nginx (Ubuntu):
assignee: Thomas Ward (teward) → nobody
importance: Medium → Undecided
status: In Progress → Invalid
Thomas Ward (teward)
Changed in nginx (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Thomas, or anyone else affected,

Accepted nginx into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
Revision history for this message
Andy Whitcroft (apw) wrote :

Note in the short term this could and should only be released to -updates.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Autopkgtest regression report (nginx/1.14.0-0ubuntu1.3)

All autopkgtests for the newly accepted nginx (1.14.0-0ubuntu1.3) for bionic have finished running.
There have been regressions in tests triggered by the package. Please visit the sru report page and investigate the failures.

https://people.canonical.com/~ubuntu-archive/pending-sru.html#bionic

Revision history for this message
Thomas Ward (teward) wrote :

sil2100 et al:

The SRU regression observed was an environment failure to retrieve from the internal repo server. Autopkgtest has been queued to rerun but the error reported is not due to NGINX. If the autopkgtest fails again for a different issue we can address it then.

Revision history for this message
Thomas Ward (teward) wrote :

autopkgtest indicated no longer fails, the issue was an issue local to the build environment and its networking uplinks to the repos.

"regression" cleared without incident or work.

Revision history for this message
Steve Langasek (vorlon) wrote :

I'm putting the brakes on this SRU for the moment, because "N/A" is not an adequate test case for any change. We are doing this rebuild precisely because we know it changes behavior of the application to rebuild it against newer openssl headers, but there's no information here that confirms that the only behavior change in nginx is to enable configurability of protocol negotiation for the newer protocol, and based on discussions on IRC we specifically know that the nginx autopkgtests do NOT test ssl functionality.

tags: added: verification-failed-bionic
removed: verification-needed-bionic
Revision history for this message
Steve Langasek (vorlon) wrote :

To illuminate why I think "no-change rebuild that causes the binary to get different behavior as a result of newer headers" is not a slam-dunk:

$ apt download libssl-dev=1.1.0g-2ubuntu4; apt download libssl-dev
$ dpkg-deb -R libssl-dev_1.1.0g-2ubuntu4_amd64.deb old
$ dpkg-deb -R libssl-dev_1.1.1-1ubuntu2.1~18.04.4_amd64.deb new
$ diff -uNr {old,new}/usr/include/ | grep '^[-+][[:space:]]*#[[:space:]]*define'|wc -l
7057
$

Thomas Ward (teward)
description: updated
Revision history for this message
Thomas Ward (teward) wrote :

Upstream has indicated via http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012430.html that to their knowledge, with TLS1.3 enabled, there is no other 'TLS 1.3' behavior not handled by OpenSSL that is otherwise introduced by default.

Note that in NGINX Upstream, and down here in Ubuntu, the default nginx.conf file that's going to be available by this SRU doesn't actually *enable* TLS 1.3 by default - that will be the largest difference. TLS 1.3 will be enabled only if enabled by the administrator, at which point all TLS1.3 risk and compatibility assumptions are accepted by the sysadmin who actually enables it.

description: updated
Revision history for this message
Thomas Ward (teward) wrote :

I've also written a full test case, give me a minute to add the example config here.

Revision history for this message
Thomas Ward (teward) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

I can confirm that it does work as expected with package 1.14.0-0ubuntu1.3 from bionic-proposed. I tested on my personal site.

Before (1.2 and 1.3 work despite 1.3 not being explicitly enabled):

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_2 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_3 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

# apt-get dist-upgrade
Calculating upgrade... Done
The following packages will be upgraded:
   libnginx-mod-http-geoip (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-http-image-filter (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-http-xslt-filter (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-mail (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-stream (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   nginx-common (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   nginx-core (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)

After (only 1.2 works == bug fixed):

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_2 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_3 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, (NONE), Cipher is (NONE)

After the update and manually enabling TLS 1.3 (1.2 and 1.3 work):

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_2 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_3 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

tags: added: verification-done verification-done-bionic
removed: verification-failed-bionic verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.14.0-0ubuntu1.3

---------------
nginx (1.14.0-0ubuntu1.3) bionic; urgency=medium

  * No changes rebuild (to build against OpenSSL 1.1.1 in Bionic)
    (LP: #1836366)

 -- Thomas Ward <email address hidden> Fri, 12 Jul 2019 14:18:43 -0400

Changed in nginx (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for nginx has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.