Your message dated Fri, 23 Apr 2021 23:59:09 +0200
with message-id <2683380.8BCvkhrOSs@bagend>
and subject line Re: Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in
default configuration
has caused the Debian Bug report #982745,
regarding nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
982745: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982745
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nginx-common
Version: 1.18.0-6
Severity: normal
Tags: security, patch
Forwarded: https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
TLSv1.2 was defined in 2008, so I don't think it's to 'wild' to use that
as a default for security in the default configuration of nginx for Bullseye.
If a user must, (s)he can still enable older TLS versions themselves.
But when upgrading nginx, I got asked to install a less secure version
(ie with TLSv1 and TLSv1.1).
Cheers,
Diederik
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable')
Architecture: armhf (armv7l)
Kernel: Linux 4.9.0-6-rpi2 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nginx-common depends on:
ii debconf [debconf-2.0] 1.5.74
ii lsb-base 11.1.0
nginx-common recommends no packages.
Versions of packages nginx-common suggests:
pn fcgiwrap <none>
pn nginx-doc <none>
ii ssl-cert 1.1.0
-- Configuration Files:
/etc/nginx/nginx.conf changed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json
application/javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
-- debconf information:
nginx/log-symlinks:
--- End Message ---
--- Begin Message ---
On vrijdag 23 april 2021 23:24:26 CEST Chris Hofstaedtler wrote:
> I agree that suggesting better defaults would
> be preferable, but this is hardly an nginx-only problem, or would
> it make nginx unusable.
I turns out the default setting for nginx is "TLSv1, TLSv1.1, and TLSv1.2"
since version 1.9.1, so I'm closing the bug.
https://nginx.org/en/docs/http/configuring_https_servers.html#compatibility
I think it's a horrible insecure default, but it is the (upstream) default.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
