Public bug reported: * Use case
An admin wants to tune ssl_protocols and ssl_prefer_server_ciphers so he/she drops a snippet file in /etc/nginx/conf.d/ like other parameters are usually configured. * Problem This doesn't work as those 2 parameters are already set in the global config shipped by the package, thus resulting in conflicts: # nginx -t nginx: [emerg] "ssl_prefer_server_ciphers" directive is duplicate in /etc/nginx/conf.d/ssl.conf:4 nginx: configuration file /etc/nginx/nginx.conf test failed Removing/commenting out ssl_prefer_server_ciphers from /etc/nginx/nginx.conf then causes warning on ssl_protocols like this: # nginx -t nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/conf.d/ssl.conf:5 nginx: [warn] duplicate value "TLSv1.3" in /etc/nginx/conf.d/ssl.conf:5 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful This leaves the admin to edit the main nginx.conf shipped by the package which is less than ideal. * Potential fix I think the ssl_protocols and ssl_prefer_server_ciphers directives should be dropped from the main nginx.conf. # ssl_protocols was set initially to drop support for SSLv3 (due to Poodle vulnerability) but the upstream default value baked in no longer have SSLv3 anyway # ssl_prefer_server_ciphers made sense sometime ago but it not recommended anymore now that we have TLS 1.3. Mozilla's recommendation is to let the client choose the cipher for their modern and intermediate compatibility lists from https://wiki.mozilla.org/Security/Server_Side_TLS * Steps to reproduce: 1) create a groovy container lxc launch images:ubuntu/groovy ng1 2) install nginx-light in it lxc exec ng1 -- apt install nginx-light 3) try to override the 2 params cat << EOF | lxc exec ng1 -- tee /etc/nginx/conf.d/ssl.conf ssl_prefer_server_ciphers off; ssl_protocols TLSv1.2 TLSv1.3; EOF 4) check the configuration lxc exec ng1 -- nginx -t Step 4) should return no [emerg] nor [warn] messages if there is no clash. It currently fails due to the ssl_prefer_server_ciphers directive. ** Affects: nginx (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883951 Title: [wishlist] drop ssl_protocols and ssl_prefer_server_ciphers from nginx.conf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1883951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
