Public bug reported: [Reason for SRU]
Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues. TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL. Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available. This would be specifically for Cosmic. [Regression Potential] OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible. Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available. Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file. [Other Info] It was completely intended prior to Cosmic's release that I would enable TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. Unfortunately, things got a little bit busy for me and that change was not included. It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. ** Affects: nginx (Ubuntu) Importance: Wishlist Status: In Progress ** Tags: cosmic ** Description changed: [Reason for SRU] Ubuntu Cosmic 18.10 ships with OpenSSL 1.1.1, which has TLS 1.3 support. It was intended to enable TLS 1.3 in the default nginx.conf so that TLS v1.3 support would be "enabled by default" if you enabled SSL, however it did not get included due to my own schedule and issues. TLS 1.3 is the newest TLS protocol version and is available in OpenSSL 1.1.1. Behind the scenes, if TLS 1.3 support is available in OpenSSL, it's available to NGINX when compiled against that version of OpenSSL. Enabling this by default in the NGINX configuration file is trivial to do, simply add TLSv1.3 to the `ssl_protocols` list. Doing this in the default config is probably a good idea since we have TLS v1.3 support available. This would be specifically for Cosmic. - [Regression Potential] OpenSSL 1.1.1 is the latest stable release of OpenSSL as of September. TLS 1.3 is the latest TLS protocol. The TLS 1.3 protocol is the latest and 'more robust' TLS protocol version and should be used where possible. Regression potential for the change to enable TLSv1.3 by default for NGINX in Cosmic would be minimal, as OpenSSL already has this protocol available. Should this cause any regressions, reverting is very simple as we just remove TLSv1.3 from the ssl_protocols line in the nginx.conf file. - [Other Info] - It was completely intended prior to release that I would enable TLSv1.3 - as a 'default' supported TLS protocol in nginx.conf. Unfortunately, - things got a little bit busy for me and that change was not included. + It was completely intended prior to Cosmic's release that I would enable + TLSv1.3 as a 'default' supported TLS protocol in nginx.conf. + Unfortunately, things got a little bit busy for me and that change was + not included. It would be beneficial to include TLSv1.3 in NGINX default protocols due to the additional security advantages that come with TLSv1.3. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1800214 Title: Enable TLS 1.3 by default in NGINX configs for Cosmic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1800214/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs