From 92c8aa9b6c540f7cfcd61344c21d843f1597891f Mon Sep 17 00:00:00 2001
From: ohemorange <erica@eff.org>
Date: Tue, 12 Aug 2025 10:54:46 -0700
Subject: [PATCH] Add note and warning about old nginx ssl options not
 receiving updates (#10410)

This PR is modeled on https://github.com/certbot/certbot/pull/10373/,
and is part of https://github.com/certbot/certbot/issues/10183.

relevant requirements:
use_tls13 >= 1.13.0
session_tix_off implemented: nginx >= 1.5.9 and openssl_version >=
1.0.2l
session tix off by default: >= 1.23.2

oldest non-deprecated major distros nginx versions:
debian 11 1.18.0
epel 8 1.23.1
ubuntu 22.04 1.18.0

Therefore, we can stop testing for use tls 13 and session tix off
allowed, with the same caveat as [in this
comment](https://github.com/certbot/certbot/pull/10373#issuecomment-3134101604).
While we could add a new split for configs that don't require session
tickets off to be set explicitly since it's the default, I don't think
it's worth doing now. I added a note in the comments about this.

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
---
 .../src/certbot_nginx/_internal/configurator.py   | 15 +++++++++++++++
 .../src/certbot_nginx/_internal/constants.py      |  3 +++
 .../tls_configs/options-ssl-nginx-old.conf        |  4 ++++
 .../tls_configs/options-ssl-nginx-tls12-only.conf |  4 ++++
 .../options-ssl-nginx-tls13-session-tix-on.conf   |  4 ++++
 5 files changed, 30 insertions(+)

diff --git a/certbot-nginx/src/certbot_nginx/_internal/configurator.py b/certbot-nginx/src/certbot_nginx/_internal/configurator.py
index 5bb5aa152..d3b9a747c 100644
--- a/certbot-nginx/src/certbot_nginx/_internal/configurator.py
+++ b/certbot-nginx/src/certbot_nginx/_internal/configurator.py
@@ -149,15 +149,24 @@ class NginxConfigurator(common.Configurator):
         # many versions of OpenSSL. So we have to check both for the two different features,
         # leading to four different combinations of options.
         # For a complete history, check out https://github.com/certbot/certbot/issues/7322
+        #
+        # Technically, nginx >= 1.23.2 has session tickets off by default, and therefore
+        # no longer needs it explicitly set. But since older versions than that are still
+        # around in the oldest non-deprecated rhel, debian, and ubuntu, we will keep explicitly
+        # setting it for now to reduce complexity.
 
         use_tls13 = self.version >= (1, 13, 0)
         min_openssl_version = util.parse_loose_version('1.0.2l')
         session_tix_off = self.version >= (1, 5, 9) and self.openssl_version and\
             util.parse_loose_version(self.openssl_version) >= min_openssl_version
 
+        deprecated_conf = True
+
         if use_tls13:
             if session_tix_off:
+                # current version
                 config_filename = "options-ssl-nginx.conf"
+                deprecated_conf = False
             else:
                 config_filename = "options-ssl-nginx-tls13-session-tix-on.conf"
         else:
@@ -166,6 +175,12 @@ class NginxConfigurator(common.Configurator):
             else:
                 config_filename = "options-ssl-nginx-old.conf"
 
+        if deprecated_conf:
+            logger.warning('Certbot has detected that nginx version < 1.13.0 or compiled against '
+                'openssl < 1.0.2l. Since these are deprecated, the configuration file being '
+                'installed at %s will not receive future updates. To get the latest configuration '
+                'version, update nginx.', self.mod_ssl_conf)
+
         file_manager = ExitStack()
         atexit.register(file_manager.close)
         ref = (importlib.resources.files("certbot_nginx").joinpath("_internal")
diff --git a/certbot-nginx/src/certbot_nginx/_internal/constants.py b/certbot-nginx/src/certbot_nginx/_internal/constants.py
index 101fe5f4c..57bf55fad 100644
--- a/certbot-nginx/src/certbot_nginx/_internal/constants.py
+++ b/certbot-nginx/src/certbot_nginx/_internal/constants.py
@@ -53,6 +53,9 @@ ALL_SSL_OPTIONS_HASHES = [
     'f5615544105c4eee44f02a604e3e9ae55b3d5bad247160bb18731a0ac531af02',
     '05a799c4db12f8e15e68219c98056824cbd5ae7b05863225318ae112f343880b',
     'dc81acfd9670f137d5abbccfe3438d9306d4b6a906439b0fbf6a6756272e7cc7',
+    '0175f71721dd8e5315a6d0f3efef703ff54e867d1ab2a4e076791b89a0b3511a',
+    '246b520bedc461fcbd35f4d3efdd75ebf171baccaba5c38f488009566de6d5b3',
+    'dd72286f760c90550f34fbeeceb5a1f1351b09b812e65a18569a0f4a4d7f5847',
 ]
 """SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC"""
 
diff --git a/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf b/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf
index 48957f64a..fef6f1252 100644
--- a/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf
+++ b/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf
@@ -3,6 +3,10 @@
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
 # this file. Contents are based on https://ssl-config.mozilla.org
+#
+# This file is installed when nginx < 1.13.0 or compiled against openssl < 1.0.2l. Since these
+# are deprecated, it is no longer receiving updates. To get the latest configuration
+# version, update nginx.
 
 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
diff --git a/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf b/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf
index 00ef6f3f5..a4f304302 100644
--- a/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf
+++ b/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf
@@ -3,6 +3,10 @@
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
 # this file. Contents are based on https://ssl-config.mozilla.org
+#
+# This file is installed when nginx < 1.13.0 or compiled against openssl < 1.0.2l. Since these
+# are deprecated, it is no longer receiving updates. To get the latest configuration
+# version, update nginx.
 
 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
diff --git a/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf b/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf
index 917fef496..3c1f39959 100644
--- a/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf
+++ b/certbot-nginx/src/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf
@@ -3,6 +3,10 @@
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
 # this file. Contents are based on https://ssl-config.mozilla.org
+#
+# This file is installed when nginx < 1.13.0 or compiled against openssl < 1.0.2l. Since these
+# are deprecated, it is no longer receiving updates. To get the latest configuration
+# version, update nginx.
 
 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;