New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 1.1.1 update in various repositories (apache2, nginx, php) #951

Closed
Ayesh opened this Issue Sep 24, 2018 · 30 comments

Comments

Projects
None yet
7 participants
@Ayesh

Ayesh commented Sep 24, 2018

Hi there,
Thanks for your continuous efforts in bringing PHP and Apache builds.

I just wanted to know if there are any plans to release Apache/PHP builds with OpenSSL 1.1.1, which was released a couple weeks back. It adds TLS 1.3, which I'm eager to try out and I guess it's in the interests of many others too.

Thank you.

@ahrasis

This comment has been minimized.

ahrasis commented Sep 24, 2018

I am also eager to try this out as well but mine is for Nginx which is currently using 1.1.0h of your ubuntu version. Hopefully, this can be updated to 1.1.1 soon.

Thank you.

@Ayesh

This comment has been minimized.

Ayesh commented Sep 27, 2018

As for TLS 1.3, it doesn't look like Apache 2.4.35 at least, does not add TLSv1.3 to the supported versions list, so you cannot actually enable it.

If you are interested in testing TLS 1.3 as a standalone server, openssl s_server will help you run one.
For Apache integration, you will have to compile Apache 2.5 with OpenSSL 1.1.1 at the time of writing.

@oerdnj

This comment has been minimized.

Owner

oerdnj commented Oct 1, 2018

I would rather let the dust settle before rushing to change the default OpenSSL version. What about we revisit this after month or two?

@Ayesh

This comment has been minimized.

Ayesh commented Oct 1, 2018

Sound good, @oerdnj . Thank you so much. Apache server itself seems to wait a bit before backporting TLSv1.3 support from the 2.5 branch too, so this kind of goes along with it.

@ahrasis

This comment has been minimized.

ahrasis commented Oct 2, 2018

Yes, we can wait. In any event, I already compiled and installed my own deb for openssl 1.1.1. Once yours are ready, I'll change to it.

@Ayesh

This comment has been minimized.

Ayesh commented Oct 19, 2018

Apache 2.4.37 is released and now supports OpenSSL 1.1.1 and has TLSv1.3 supported backported from trunk. It would be awesome to have them in cosmic releases as well, now that Ubuntu 18.10 is released. Cosmic already contains OpenSSL 1.1.1.

@Ayesh

This comment has been minimized.

Ayesh commented Oct 19, 2018

@oerdnj perhaps it's a good time to build 2.4.37 with OpenSSL 1.1.1. what do you think?

@swiffer

This comment has been minimized.

swiffer commented Oct 22, 2018

excited to try that out 👍

@Ayesh

This comment has been minimized.

Ayesh commented Oct 24, 2018

2.4.37 is now officially released (it was in voting phrase when I submitted my last commit). Really looking forward for this. Thanks.

@derritter88

This comment has been minimized.

derritter88 commented Oct 24, 2018

Ahoj Ondrej! I would also love to have the new Apache version compiled for Ubuntu 16.04. Cheers!

@Ayesh Ayesh changed the title from Builds with OpenSSL 1.1.1 to Apache2 2.4.37 buildswith TLS 1.1.1 in Cosmic 18.10 Oct 25, 2018

@oerdnj

This comment has been minimized.

Owner

oerdnj commented Oct 28, 2018

Try adding ppa:ondrej/apache2-qa on top of ppa:ondrej/apache2 for OpenSSL 1.1.1 enabled build.

@ahrasis

This comment has been minimized.

ahrasis commented Oct 28, 2018

I hope the same is built for nginx too. However, I noticed the title has just been changed to apache2, so should we opened a new issue for nginx or that would not be necessary?

@Ayesh

This comment has been minimized.

Ayesh commented Oct 28, 2018

Thank you so much @oerdnj, it's working perfectly! Totally grateful for all these.

@ahrasis - If you are trying to get nginx to pull TLS 1.3, nginx 1.15 frm main nginx repo (and even Ubuntu cosmic sources) has it. For OpenSSL 1.1.1, you can add the apache-qa repo.
I wrote about Apache (compile yourself) and nginx (install from repo) here: https://ayesh.me/TLSv1.3-Apache-Nginx

@oerdnj

This comment has been minimized.

Owner

oerdnj commented Oct 28, 2018

I will also prepare nginx-qa repository when I have continuous block of free time again. I would be interested in hearing experience for people upgrading from OpenSSL 1.1.0 to 1.1.1, that’s the setup that would be most prone to failures...

@oerdnj oerdnj changed the title from Apache2 2.4.37 buildswith TLS 1.1.1 in Cosmic 18.10 to OpenSSL 1.1.1 update in various repositories (apache2, nginx, php) Oct 28, 2018

@Ayesh

This comment has been minimized.

Ayesh commented Oct 28, 2018

Thanks a lot! I was using OpenSSL 1.1.1 (was 1.1.0) since Oct 18 with Ubuntu 18.10, and had no problems so far. I don't use it anywhere other than Apache, nginx and PHP, so I don't suppose my feedback says that much.

@ahrasis

This comment has been minimized.

ahrasis commented Oct 28, 2018

I am still using nginx 1.14 but with self-compiled OpenSSL 1.1.1. So far there is no problem faced and it is good as I can already enabled and used TLSv1.3.

nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.0g  2 Nov 2017 (running with OpenSSL 1.1.1  11 Sep 2018)

I hope to see and used a proper one from here soon.

@oerdnj

This comment has been minimized.

Owner

oerdnj commented Oct 28, 2018

For nginx mainline try adding ppa:ondrej/nginx-qa on top of ppa:ondrej/nginx-mainline.

@Ayesh

This comment has been minimized.

Ayesh commented Oct 28, 2018

I see Apache 2.4.37 and openssl 1.1.1 now in the main Apache repo. Thank you so much!. For future Googles, I have written a new post on how to enable TLS 1.3 in Apache: https://ayesh.me/TLSv1.3-Apache

@Ayesh Ayesh closed this Oct 28, 2018

@oerdnj oerdnj reopened this Oct 28, 2018

@swiffer

This comment has been minimized.

swiffer commented Oct 29, 2018

hey @Ayesh ,

read your article.
i think configuring ciphersuite works by calling

SSLCipherSuite TLSv1.3  TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
at least for me this works fine ;-)

@Ayesh

This comment has been minimized.

Ayesh commented Oct 29, 2018

Thanks @swiffer - I updated the post 👍.

@ahrasis

This comment has been minimized.

ahrasis commented Oct 30, 2018

For nginx mainline try adding ppa:ondrej/nginx-qa on top of ppa:ondrej/nginx-mainline.

Since I was using default Ubuntu 18.04 Nginx 1.14, I have to remove it first before reinstall nginx. Now it display:

nginx version: nginx/1.15.5
built with OpenSSL 1.1.0h  27 Mar 2018 (running with OpenSSL 1.1.1  11 Sep 2018)

TLSv1.3 works on all websites after I add it to their nginx conf / vhost files ssl_protocols with TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256 as its ssl_ciphers.

@oerdnj

This comment has been minimized.

Owner

oerdnj commented Nov 4, 2018

OpenSSL 1.1.1 has been uploaded to apache2, php, nginx and nginx-stable repositories.

@oerdnj oerdnj closed this Nov 4, 2018

@yura3d

This comment has been minimized.

yura3d commented Dec 18, 2018

What is the version of OpenSSL used to build nginx? Cause since 1.15.6 and 1.14.2 it's not enough for using TLS 1.3 to have OpenSSL 1.1.1 installed, nginx must be built with it. I got proof here as an answer on my question from one of nginx contributors: https://trac.nginx.org/nginx/ticket/1654#comment:9

@ahrasis

This comment has been minimized.

ahrasis commented Dec 18, 2018

Check your ciphers. It works well for most of us.

@yura3d

This comment has been minimized.

yura3d commented Dec 18, 2018

Thanks, of course, I checked ciphers twice. And only after rebuild nginx from sources manually with OpenSSL 1.1.1 I got TLS 1.3 support (with the same ciphers and other config).

If you installed nginx from @oerdnj repo, can you provide your "nginx -V" ouput please?

@ahrasis

This comment has been minimized.

ahrasis commented Dec 18, 2018

My post was just before ondrej, above yours.

@kevin-olbrich

This comment has been minimized.

kevin-olbrich commented Dec 18, 2018

I had the same problem because I was using "nginx" from mainline repo at nginx.org.
While it has TLS 1.3 support, it was not compiled against a capable OpenSSL.
After switching to "nginx-full" which is superseded by sury.org repo, TLS 1.3 works perfectly fine.

@ahrasis

This comment has been minimized.

ahrasis commented Dec 18, 2018

Right but I think that should be understood from the very beginning.

@kevin-olbrich

This comment has been minimized.

kevin-olbrich commented Dec 18, 2018

Maybe I missed it but the docs tell me, that nginx supports TLS 1.3 when a capable version of OpenSSL is installed.
This is not the case. It needs to be compiled against it to work.
In the past, patching OpenSSL was sufficient to e.g. protect other applications. This is why I thought, replacing the lib will make TLS 1.3 work.
This might be a similar case for @yura3d as he also mentions, after compiling from sources, it worked.

@oerdnj

This comment has been minimized.

Owner

oerdnj commented Dec 18, 2018

I will be updating the nginx both stable and mainline this week, but I am pretty sure the nginx in my repositories were compiled with OpenSSL 1.1.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment