Will nginx be updated to include patches to handle TLSv1.3 during 18.04.x ?
nginx already could have support for helpful features like modsecurity support and TLSv1.3, but for some reason bionic started off on an older version. I'd like both if at all possible, without having to maintain my own version or sourcebase
Question information
- Language:
- English Edit question
- Status:
- Solved
- For:
- Ubuntu nginx Edit question
- Assignee:
- Thomas Ward Edit question
- Solved by:
- Thomas Ward
- Solved:
- 2018-08-15
- Last query:
- 2018-08-15
- Last reply:
- 2018-08-15
Thomas Ward (teward) said : | #1 |
For TLS 1.3 support we need newer SSL libraries than are actually present (we need the OpenSSL libraries that provide TLS 1.3 to do TLS 1.3).
To my knowledge this is not going to be done ar all for 18.04 because it is already released. By extension of this, 18.04 will not have TLS 1.3-capable NGINX.
Henry Baldursson (henrythor) said : | #2 |
Ah too bad. That explains why nginx allows TLSv1.3 in the config but nothing happens.
Is there any chance the ngx_http_
I hesitate to install anything that won't receive USNs.
I guess for some apps I should rather focus on Apache until nginx-modsecurity makes its way into an LTS release.
|
#3 |
If NGINX Mod Security is added, it's likely to not get regular updates because of the way that Ubuntu Versioning and 'new features' and such are handled.
Further, only the bits that're included in nginx-core (that is, patchable things for modules and code that are from nginx.org upstream and *not* Third Party Plugins) are what's covered under the USNs and Security Team patch work for security patches. The third party modules are not covered in 'main', they're considered to be in the Universe repository, and security issues in those are only patched as quickly as the community provides patches for them.
Thomas Ward (teward) said : | #4 |
(However, as security patches are brought to my attention, I do usually work with the Security Team to get the non-core components updated where necessary for the NGINX package; however the third party modules' security 'tracking' is limited since some of the modules haven't changed in a long while)
Henry Baldursson (henrythor) said : | #5 |
Thanks for the clarification!