Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration
33 views
Skip to first unread message
didi....@cknow.org
Feb 13, 2021, 3:50:03 PM2/13/21
to
Package: nginx-common
Version: 1.18.0-6
Severity: normal
Tags: security, patch
Forwarded: https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7
X-Debbugs-Cc: Debian Security Team <te...@security.debian.org>
TLSv1.2 was defined in 2008, so I don't think it's to 'wild' to use that
as a default for security in the default configuration of nginx for Bullseye.
If a user must, (s)he can still enable older TLS versions themselves.
But when upgrading nginx, I got asked to install a less secure version
(ie with TLSv1 and TLSv1.1).
Cheers,
Diederik
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable')
Architecture: armhf (armv7l)
Kernel: Linux 4.9.0-6-rpi2 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nginx-common depends on:
ii debconf [debconf-2.0] 1.5.74
ii lsb-base 11.1.0
nginx-common recommends no packages.
Versions of packages nginx-common suggests:
pn fcgiwrap <none>
pn nginx-doc <none>
ii ssl-cert 1.1.0
-- Configuration Files:
/etc/nginx/nginx.conf changed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
-- debconf information:
nginx/log-symlinks:
Version: 1.18.0-6
Severity: normal
Tags: security, patch
Forwarded: https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7
X-Debbugs-Cc: Debian Security Team <te...@security.debian.org>
TLSv1.2 was defined in 2008, so I don't think it's to 'wild' to use that
as a default for security in the default configuration of nginx for Bullseye.
If a user must, (s)he can still enable older TLS versions themselves.
But when upgrading nginx, I got asked to install a less secure version
(ie with TLSv1 and TLSv1.1).
Cheers,
Diederik
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable')
Architecture: armhf (armv7l)
Kernel: Linux 4.9.0-6-rpi2 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nginx-common depends on:
ii debconf [debconf-2.0] 1.5.74
ii lsb-base 11.1.0
nginx-common recommends no packages.
Versions of packages nginx-common suggests:
pn fcgiwrap <none>
pn nginx-doc <none>
ii ssl-cert 1.1.0
-- Configuration Files:
/etc/nginx/nginx.conf changed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
-- debconf information:
nginx/log-symlinks:
Diederik de Haas
Apr 20, 2021, 7:20:03 AM4/20/21
to
Control: severity -1 grave
Control: notforwarded -1
I did not get any response to my bug report which I tagged with 'security', so
I'm upping the severity and believe the Debian documentation justifies it.
https://www.debian.org/Bugs/Developer#severities says:
"Most security bugs should also be set at critical or grave severity."
Feel free to downgrade the severity if you don't agree this is a security or a
'grave' issue (which should be fixed before Bullseye is released).
But then I'll at least know someone has seen and evaluated the issue.
I've also cleared the 'forwarded' as it is not an upstream issue.
https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7 still contains my
patch which fixes this issue by removing "TLSv1 TLSv1.1" from the
"ssl_protocols" setting in debian/conf/nginx.conf
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 says:
"The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1
or higher before June 30, 2018. In October 2018, Apple, Google, Microsoft, and
Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020."
Control: notforwarded -1
I did not get any response to my bug report which I tagged with 'security', so
I'm upping the severity and believe the Debian documentation justifies it.
https://www.debian.org/Bugs/Developer#severities says:
"Most security bugs should also be set at critical or grave severity."
Feel free to downgrade the severity if you don't agree this is a security or a
'grave' issue (which should be fixed before Bullseye is released).
But then I'll at least know someone has seen and evaluated the issue.
I've also cleared the 'forwarded' as it is not an upstream issue.
https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7 still contains my
patch which fixes this issue by removing "TLSv1 TLSv1.1" from the
"ssl_protocols" setting in debian/conf/nginx.conf
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 says:
"The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1
or higher before June 30, 2018. In October 2018, Apple, Google, Microsoft, and
Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020."
0 new messages