Will nginx be updated to include patches to handle TLSv1.3 during 18.04.x ?

Asked by Henry Baldursson on 2018-08-15

nginx already could have support for helpful features like modsecurity support and TLSv1.3, but for some reason bionic started off on an older version. I'd like both if at all possible, without having to maintain my own version or sourcebase

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu nginx Edit question
Assignee:
Thomas Ward Edit question
Solved by:
Thomas Ward
Solved:
2018-08-15
Last query:
2018-08-15
Last reply:
2018-08-15
Thomas Ward (teward) said : #1

For TLS 1.3 support we need newer SSL libraries than are actually present (we need the OpenSSL libraries that provide TLS 1.3 to do TLS 1.3).

To my knowledge this is not going to be done ar all for 18.04 because it is already released. By extension of this, 18.04 will not have TLS 1.3-capable NGINX.

Henry Baldursson (henrythor) said : #2

Ah too bad. That explains why nginx allows TLSv1.3 in the config but nothing happens.

Is there any chance the ngx_http_modsecurity_module.so plugin will make its way to Ubuntu in the nearterm?

I hesitate to install anything that won't receive USNs.

I guess for some apps I should rather focus on Apache until nginx-modsecurity makes its way into an LTS release.

Best Thomas Ward (teward) said : #3

If NGINX Mod Security is added, it's likely to not get regular updates because of the way that Ubuntu Versioning and 'new features' and such are handled.

Further, only the bits that're included in nginx-core (that is, patchable things for modules and code that are from nginx.org upstream and *not* Third Party Plugins) are what's covered under the USNs and Security Team patch work for security patches. The third party modules are not covered in 'main', they're considered to be in the Universe repository, and security issues in those are only patched as quickly as the community provides patches for them.

Thomas Ward (teward) said : #4

(However, as security patches are brought to my attention, I do usually work with the Security Team to get the non-core components updated where necessary for the NGINX package; however the third party modules' security 'tracking' is limited since some of the modules haven't changed in a long while)

Henry Baldursson (henrythor) said : #5

Thanks for the clarification!