TLS 1.3 support in nginx-1.17.1 binary for Ubuntu 18.04 "bionic" provided by nginx.org

Konstantin Pavlov thresh at nginx.com
Tue Jul 9 10:35:59 UTC 2019 

Hi Zeev,

03.07.2019 18:49, Zeev Tarantov wrote:
> I've installed the nginx package provided by nginx.org
> <http://nginx.org> (https://nginx.org/en/linux_packages.html#Ubuntu)
> specifically the binary provided by 
> https://nginx.org/packages/mainline/ubuntu/pool/nginx/n/nginx/nginx_1.17.1-1~bionic_amd64.deb
> and it doesn't have TLS 1.3 support.
> According to
> https://mailman.nginx.org/pipermail/nginx/2019-January/057402.html this
> would be because it was built on an Ubuntu 18.04 "bionic" that was not
> fully updated.
> Ubuntu 18.04 "bionic" switched from openssl 1.1.0 to openssl 1.1.1
> recently and I hoped the newer releases would be compiled with openssl
> 1.1.1 and support TLS 1.3.
> When I build that package myself (using apt-get source nginx ; cd
> nginx-1.17.1/ ; debuild -i -us -uc -b) on a fully updated Ubuntu 18.04
> "bionic", it does support TLS 1.3.
> I ask that the build environment is set up such that the next release
> will support TLS 1.3, or better yet, that 1.16.0 and 1.17.1 packages for
> Ubuntu 18.04 "bionic" are updated to include TLS 1.3 support.
> Unless such packages won't work on a non-updated Ubuntu 18.04 system? (Why?)
> Or does anyone know of a workaround that does not involve building the
> packages myself?


Thanks for the heads up on the openssl version change in 18.04 - it
definitely is on our roadmap to provide prebuilt packages based on
openssl 1.1.1!

Indeed, new packages built with openssl 1.1.1 will not work on the older
Ubuntu 18.04 point releases (non-updated), so this means the users will
have to update when they update nginx.

We definitely will not be changing the already released binaries, as
this is likely to break existing setups that rely on the specific
environments.  The next nginx release however will be built using the
newer Ubuntu 18.04 base with openssl 1.1.1.  There's no ETA for it yet
as far as I can tell.

Thanks,

-- 
Konstantin Pavlov
https://www.nginx.com/

More information about the nginx mailing list