[Pkg-nginx-maintainers] Bug#944006: nginx-extras missing TLS1.3

Tue Nov 5 20:09:08 GMT 2019

Hi,

I use nginx-extras from buster (Debian official repository)

nginx version: nginx/1.14.2
built with OpenSSL 1.1.1c  28 May 2019 (running with OpenSSL 1.1.1d
10 Sep 2019)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=.
-fstack-protector-strong -Wformat -Werror=format-security -fPIC
-Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro
-Wl,-z,now -fPIC' --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
--modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug
--with-pcre-jit --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_v2_module --with-http_dav_module --with-http_slice_module
--with-threads --with-http_addition_module --with-http_flv_module
--with-http_geoip_module=dynamic --with-http_gunzip_module
--with-http_gzip_static_module --with-http_image_filter_module=dynamic
--with-http_mp4_module --with-http_perl_module=dynamic
--with-http_random_index_module --with-http_secure_link_module
--with-http_sub_module --with-http_xslt_module=dynamic
--with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic
--with-stream_ssl_module --with-stream_ssl_preread_module
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-headers-more-filter
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-auth-pam
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-cache-purge
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-dav-ext
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-ndk
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-echo
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-fancyindex
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/nchan
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-lua
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/rtmp
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-uploadprogress
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-upstream-fair
--add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-subs-filter

Le mar. 5 nov. 2019 à 14:46, Thomas Ward <teward at ubuntu.com> a écrit :
>
> Can you include the output of `nginx -V` please as well?  Part of TLS support is having a version of NGINX that is compiled against an OpenSSL in the repositories for the version of Debian you're using which supports TLS1.3, but that may not be the case in all releases of Debian.
>
>
> Thomas
>
>
> On 11/2/19 1:15 PM, Florent CARRÉ wrote:
>
> Package: nginx-extras
> Version: 1.14.2-2+deb10u1
>
> When I modify to have exclusively TLS1.2 and TLS1.3, just TLS1.2 is available.
>
> Steps to reproduce :
> - switch to ssl_protocols TLSv1.2 TLSv1.3
> - restart nginx
> - curl -v --tlsv1.3 mydomain.com
>
> I obtain :
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS alert, protocol version (582):
> * error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
> * Closing connection 0
> curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version
>
> And it's available in openssl : openssl ciphers -v | grep " TLSv1\.3 "
> TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any
> Enc=CHACHA20/POLY1305(256) Mac=AEAD
> TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
>
> Regards
>