FS#60409 - [nginx] disable TLS 1.3
Attached to Project:
Arch Linux
Opened by Sakuraba Amane (tobiichiamane) - Sunday, 14 October 2018, 17:53 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Wednesday, 28 November 2018, 10:27 GMT
Opened by Sakuraba Amane (tobiichiamane) - Sunday, 14 October 2018, 17:53 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Wednesday, 28 November 2018, 10:27 GMT
|
Details
Description:
When building this version of nginx, openssl was still at 1.1.0 and didn't provide "SSL_OP_NO_TLSv1_3", thus resulted in not disabling TLS v1.3. But openssl is at 1.1.1 now, which enables TLS v1.3 by default if not being disabled. Maybe it's time to rebuild the nginx package. Additional info: * package version(s) * config and/or log files etc. nginx 1.14.0-1 Steps to reproduce: none. |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Wednesday, 28 November 2018, 10:27 GMT
Reason for closing: Fixed
Additional comments about closing: Package has been updated in November.
Wednesday, 28 November 2018, 10:27 GMT
Reason for closing: Fixed
Additional comments about closing: Package has been updated in November.
nginx is a web server, so I'd understand why this is tunable -- though I still wonder why it's a compile-time macro in order to enable the parsing of a config option. Seems sort of backward, which is why I initially closed the bug after asking if the reporter was able to disable it using the config key (maybe we had mixed signals when communicating).
The parsing of a config file option does not need that macro from openssl. Instead, in order to actually disable TLSv1.3, it needs to call
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
Notice that here SSL_OP_NO_TLSv1_3 is a C macro provided by openssl. When this macro is missing during compile time, the actual value of SSL_OP_NO_TLSv1_3 (which is 0x20000000U by the way) is unknown. In the case of nginx, the code block that contains the previous function call will be left out from compiling. Other software might as well similarly ignore the parsed option to disable TLSv1.3 because it can't disable TLSv1.3 during runtime when it is compiled without this macro.