[Pkg-nginx-maintainers] Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration

didi.debian at cknow.org didi.debian at cknow.org
Sat Feb 13 20:34:22 GMT 2021 

Package: nginx-common
Version: 1.18.0-6
Severity: normal
Tags: security, patch
Forwarded: https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

TLSv1.2 was defined in 2008, so I don't think it's to 'wild' to use that
as a default for security in the default configuration of nginx for Bullseye.
If a user must, (s)he can still enable older TLS versions themselves.
But when upgrading nginx, I got asked to install a less secure version
(ie with TLSv1 and TLSv1.1).

Cheers,
  Diederik

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: armhf (armv7l)

Kernel: Linux 4.9.0-6-rpi2 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nginx-common depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  lsb-base               11.1.0

nginx-common recommends no packages.

Versions of packages nginx-common suggests:
pn  fcgiwrap   <none>
pn  nginx-doc  <none>
ii  ssl-cert   1.1.0

-- Configuration Files:
/etc/nginx/nginx.conf changed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
	worker_connections 768;
	# multi_accept on;
}
http {
	##
	# Basic Settings
	##
	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;
	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	##
	# SSL Settings
	##
	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;
	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;
	##
	# Gzip Settings
	##
	gzip on;
	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


-- debconf information:
  nginx/log-symlinks:

More information about the Pkg-nginx-maintainers mailing list