OpenSSL 1.1.1 might give you a headache when you still use TLSv1.0 etc. Debian has quite high security standards and with OpenSSL 1.1.1 this might affect you and give you comments about keys less then 112-bit, being an issue and things might stop working.
TLDR; The Quick 5 min solution
Add the Nginx repo (/etc/apt/sources.list.d/nginx.list)
deb http://nginx.org/packages/debian/ stretch nginx
deb-src http://nginx.org/packages/debian/ stretch nginx
You might, like me, run into a dependency missing: dh-systemd message
apt-get install dh-systemd
Add the sid/unstable repo to /etc/apt/sources.list
deb http://deb.debian.org/debian unstable main
Then make sure you have some clean location...
mkdir /usr/local/src -p && cd /usr/local/src
curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
apt-get update
apt-get install openssl libssl-dev -t unstable -y
apt-get source nginx
tar xf nginx*.gz
cd nginx-*
tar xf ../nginx*.xz
Now we most likely need to do a quick and dirty ignore missing info for ship lib dependencies for nginx_dbg. Edit the debian/rules
file and change the dh_shlibdeps line:
dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info
Also, in the same file, add the following after compile flags CFLAGS=
...--with-ld-opt="$(LDFLAGS)"
--with-openssl-opt=enable-tls1_3
Since we use the normal release and no dev-source, we don't need to specify--with-openssl=<dir-to-source-openssl>
... Aaaand let's continue!
debuild -uc -us cd .. sudo dpkg -i nginx_*.deb
Clean up and don't forget to pin the package(s)!
Package: nginx*
Pin: release *
Pin-Priority: -1
The results
angelique@dawnbringer:/usr/local/src$ nginx -V nginx version: nginx/1.15.3 built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/usr/local/src/nginx-1.15.3=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
angelique@dawnbringer:/usr/local/src$ openssl version OpenSSL 1.1.1 11 Sep 2018
Please be aware that the TLSv1.3 ciphers between pre-release and release have changed names. They are no longer prefixed with TLS13.
angelique@dawnbringer:/usr/local/src$ openssl ciphers -s -v | grep 1.3 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
Also note they are with an _
instead of a -
. For now I am adding the following line to my NGINX config and wait and see when and if this changes and where the rest of the support comes from.
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256 #more...
As per OpenSSL's blog, they wrote:
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:
TLS13-AES-256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-128-GCM-SHA256
TLS13-AES-128-CCM-8-SHA256
TLS13-AES-128-CCM-SHA256
This seems not to be the case anymore. This was only the case in the drafts!
Browsers and SSLLabs only seem to have implemented the drafts and not "the official" releases. It will take some time for these to end up in the final version but until then, your installation is ready! If you want to go back, you can install 1.1.1 pre 8 or pre 9 instead! Don't forget to add the --with-openssl=<dir> flag!
Testing
angelique@dawnbringer:/usr/local/src$ openssl s_client -connect techshift.eu:443 -tls1_3 CONNECTED(00000005) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = techshift.eu verify return:1 --- Certificate chain 0 s:CN = techshift.eu i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFpjCCBI6gAwIBAgISAx5q2awIKMJtNDgZ8i5QjmIqMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDYwNDIyNDVaFw0x ODEwMDQwNDIyNDVaMBcxFTATBgNVBAMTDHRlY2hzaGlmdC5ldTB2MBAGByqGSM49 AgEGBSuBBAAiA2IABBnzmZT9VV/+ec7grI9gvJ3ojpJy2eg3C5QYD+pcGD5s6m2S X3t6aTWih27qCps1JsPtf+cKe7XhAW6TmBUN1qGXydRlA49pxrbbtSypl5gZoHd4 R7DvpmS+aMlGCN03xKOCA2UwggNhMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIDY/ rbHcOknhAjRNa3IAJDKscpQwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo 7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQt eDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQt eDMubGV0c2VuY3J5cHQub3JnLzBpBgNVHREEYjBgggx0ZWNoc2hpZnQuZXWCDHRl Y2hzaGlmdC5ubIIMdGVjaHNoaWZ0LnNlghB3d3cudGVjaHNoaWZ0LmV1ghB3d3cu dGVjaHNoaWZ0Lm5sghB3d3cudGVjaHNoaWZ0LnNlMIH+BgNVHSAEgfYwgfMwCAYG Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDbdK/uyynssf7KPnFtLOW5qrs294Rx g8ddnU83th+/ZAAAAWRuCuWDAAAEAwBHMEUCIQD5pO20fZvCNHe7dFn6XYvoUIDM ddHyUKCDz7kwdRqjJAIgQulzbmHsVnnie21xEETXE0wQ22JlNC2mgcvAGZeQ2jwA dQApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWRuCuWLAAAEAwBG MEQCIGDoyOhQRqxSXpHiqNe8mLW/Cli+ru/rpOWy5EPnawwfAiBMaSnUReHI/WA7 Dgy0bxKWawTEYKx+Gx+zg9yW0+BxfDANBgkqhkiG9w0BAQsFAAOCAQEAkg/PyHcG it0oW/ncbPVtomsyknvEnopVfyYxwzdbVdnao7AjY8zA2K6YwFhk/az8BhP3BjkZ TVLBv8+4Tha49dsZ8XyLRCruEUqOSvjRHb0BVe4QQssLS7P0TzWDZyYS7nqof187 mAUZ4cVwPrGdbcxxfkMrYtfhBpJq/EXuWfUAgFmQZtzx6IayGVWTbceSaxq3Ir8J Yao5WgrWCBEmpGWki5Gy/67UyBEVNr82xae0ea3/9fBymJkbXIOLVjdrE0yJUg0b 4em8/TQTQ9243g9BC1vbW+QJjrr1aUIXVC+l7bIdAxMNXmTaM09+c9bojeP7A88j HLiHc6fn5DlOpA== -----END CERTIFICATE----- subject=CN = techshift.eu issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA384 Peer signature type: ECDSA Server Temp Key: ECDH, P-521, 521 bits --- SSL handshake has read 3231 bytes and written 653 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 384 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 443700F72CBFFDD349558391FXDD48F2483X9A1930FC2BC6XF6565F9X57FC24E Session-ID-ctx: Resumption PSK: 9C9D26AA675A1999C9A1250ED1A64DAX84D462499A2B3049EFDDE484902E0AD52E044764EEB2D2A6A1137C9129B06B1A PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 6b 26 19 75 6e 2f dd 73-ad 0a 18 bd 82 7b c1 a8 k&.en/.s.....{.. 0010 - 77 5c 54 04 33 9d 99 53-b3 26 f1 e5 3b 50 54 5f ................ 0020 - 18 9c 9f de 5d ee 18 1c-e3 f4 dd dd 29 ec 47 51 ................ 0030 - 71 f0 2a 40 a9 e0 XX a7-92 4c 36 a4 60 38 ba 4c q.*@..J.....`8.L 0040 - 2d 50 6d be 9d 95 12 XX-XX de 77 5d e7 b8 6c b7 -XX.......w]..l. 0050 - f0 ba 7a 2d 83 89 ac 03-be b9 a9 fb 57 dc 94 d8 ..z-........W... 0060 - f9 e2 85 e2 8c cb bc 83-28 a8 bd 19 69 e4 96 2b ........(...i..+ 0070 - d0 24 da e6 70 f2 f3 a0-64 5d 5b 4a b0 c1 0a 39 .$..p...d][J...9 0080 - 0b ef 8b c3 09 bd 4d e9-47 21 6e 2f e5 94 b2 9a ......M.G!n/.... 0090 - 5f 34 3f 3e fa f9 90 ba-ff 31 83 06 e5 0b 69 bd _4?>.....1....i. 00a0 - 35 c2 6b d3 6b 7b 31 61-d3 89 5d e3 4e 61 77 7e 5.k.k{1a..].Naw~ 00b0 - 42 df 28 83 99 20 d9 76-2e ba 44 99 cc 6b 7e 01 ..... .......... 00c0 - bf 5f e5 99 ec 89 92 43-b8 a5 fa e3 4c 46 dc 69 ................ 00d0 - 33 a7 51 e7 0c 28 57 79-ba ea 3c 7d 0e 51 9a 3a 3.Q..(Wy..<}.Q.: 00e0 - 92 c6 45 68 f7 e3 c5 7d-e6 d0 73 56 df d3 ce 63 ..Eh...}..sV...c Start Time: 1337412288 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 9EXFBFXBA06E831987DF4X79D771C85AAF9719XD0FE71C90B6C5XF6EFFAEX906 Session-ID-ctx: Resumption PSK: 4C51017XD298XC21EAX1BC3421X8X81D7A1ECEDCBX4B2804C3F70XE60C4B03822C07960B7DF8567DA5991FDFBD6C45B7 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - xx 26 19 65 6e 2f dd 73-ad 0a 18 bd 82 7b c1 a8 XXxen/.s.....{.. 0010 - 4b xx df 6f 4f 15 64 20-61 24 be aa 30 62 37 db Kh.XX.x ax..0b7. 0020 - 25 97 xx eb 5b 19 44 35-fd 6a 61 a3 09 f2 bb ee %.z.[.D5.ja..... 0030 - 66 05 4e xx 3d 8a b1 5f-d9 6e 71 11 85 db 96 64 f.X.X.._.Xq....d 0040 - ab 48 b7 35 xx 92 b3 8e-db 9a 33 21 ca 9d 71 1d ................ 0050 - 03 d1 5c e9 5a xx f9 46-c5 c6 7c d4 fc d9 c8 ae ................ 0060 - 3e 4c 2d 33 a4 c5 db 76-b6 fa 1f 76 09 51 a6 68 >L-3...v...v.Q.h 0070 - bb 75 2c c7 e0 33 bb 58-a9 bc ca a6 54 01 28 0d .u,..3.X....T.(. 0080 - 1e 09 af a8 59 25 7e 94-1a c8 16 12 87 38 a2 49 ....Y%~......8.I 0090 - 8a d6 cc 2e 2e 31 13 08-59 82 16 77 db 38 79 f2 .....1..Y..w.8y. 00a0 - c4 aa 86 49 bc af 41 b1-e1 ac 9c 94 25 1c f1 36 ...I..A.....%..6 00b0 - 74 cf 61 a4 b4 12 01 71-11 48 15 f7 9c 49 ae da t.a....q.H...I.. 00c0 - 3f e2 a0 7b 24 30 ad a1-44 a0 a7 93 ee e3 99 31 ?..{$0..D......1 00d0 - f3 a3 1d 70 db b5 ce d8-db 1d 92 66 84 fb c9 ed ...p.......f.... 00e0 - 2f 4c b8 cb 39 cd 26 00-5b e2 38 ed a8 67 0f fe /L..9.&.[.8..g.. Start Time: 1537432288 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK
The important lines are the TLS sessions, and as you can see, they are TLS1.3 sessions. Now of course you are not using TLS1.3 in the browser yet since those are still using draft versions most-likely... Or OpenSSL's implementation is very wrong, which also might be the case... But at least you are done for today and it should work with upcoming releases out of the box... At least the site is reachable again and you don't have cipher mismatches anymore.