[SRU] No Changes Rebuild in Bionic for OpenSSL compat reasons
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Thomas Ward |
Bug Description
[Impact]
Upstream NGINX notified me that for proper TLS1.3 controls in NGINX it needs rebuilt against OpenSSL 1.1.1 that is how in Bionic.
[Test Case]
PREREQUISITES:
(1) Install `ssl-cert` if not already installed.
(2) Install latest OpenSSL from bionic-updates. This includes libssl, etc.
Current Version (TLS1.3 "Used By Default" due to OpenSSL configs globally)
(2) Install the current NGINX version.
(3) Replace the contents of /etc/nginx/
(4) From the NGINX server itself, RUN: openssl s_client -tls1_3 -connect localhost:443
You should see output indicating TLS1.3 is available by default.
(5) Also run: openssl s_client -tls1_2 -connect localhost:443
It should still establish a new TLS1.2 connection.
New Version (TLS1.3 Available at Build Time, default Disabled by nginx configs in the package):
(5) Install the nginx version from Proposed
(6) Replace the contents of /etc/nginx/
This should fail to connect as expected (default nginx.conf doesn't enable TLS1.3)
(8) Run: openssl s_client -tls1_2 -connect localhost:443
This should still work.
[Regression Potential]
Moderate but all would be due to OpenSSL versions which we can’t revert to. This is a no-change rebuild, any regressions in this would be directly due to OpenSSL.
[Other Info]
This is based on info obtained from https:/
Upstream has indicated that a rebuild against 1.1.1 shouldn't introduce any other 'oddness' that isn't already a problem due to the OpenSSL SRU independently of the NGINX rebuild. TLS1.2 and such should still function as intended, TLS1.3 will be disabled by default.
Changed in nginx (Ubuntu Bionic): | |
assignee: | nobody → Thomas Ward (teward) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in nginx (Ubuntu): | |
assignee: | Thomas Ward (teward) → nobody |
importance: | Medium → Undecided |
status: | In Progress → Invalid |
Changed in nginx (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
description: | updated |
Hello Thomas, or anyone else affected,
Accepted nginx into bionic-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ nginx/1. 14.0-0ubuntu1. 3 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification- needed- bionic to verification- done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- bionic. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.