Package: nginx-light Version: 1.14.2-2 Severity: important Dear Maintainer, citing original report from Adam Langley of Google: "KeyUpdate messages are a feature of TLS 1.3 that allows the symmetric keys of a connection to be periodically rotated. It's mandatory-to-implement in TLS 1.3, but not mandatory to use. Google Chrome tried enabling KeyUpdate and promptly broke several sites, at least some of which are using HAProxy."
This report was against haproxy, but I have quickly found out that the same problem applies to version of nginx used in Buster. Whole haproxy thread, with all the details, can be found at: https://www.mail-archive.com/haproxy@formilux.org/msg32495.html In short, nginx 1.14.2 has TLS 1.3 incompatibility that will make nginx unusable with future version of Chrome. nginx fixed this problem in version 1.15.4 To reproduce this, install nginx in Buster, enable TLSv1.3 in config with any certificate (can be snakeil). Then issue: openssl s_client -connect localhost:443 and type single letter 'K'. This will make s_client send KeyUpdate. If connection is closed, then the server has this incompatibility. To fix this, nginx must be either updated to 1.15.4 or later, or the following patches must be backported: https://trac.nginx.org/nginx/changeset/dcab8611526120b270841a10a307f66f0be44e0a https://trac.nginx.org/nginx/changeset/e3ba4026c02d2c1810fd6f2cecf499fc39dde5ee https://trac.nginx.org/nginx/changeset/bf1ac3dc1e6856371c60bc5c57084662926dba0e -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nginx-light depends on: ii libc6 2.28-5 ii libnginx-mod-http-echo 1.14.2-2 ii libpcre3 2:8.39-11 ii libssl1.1 1.1.1a-1 ii nginx-common 1.14.2-2 ii zlib1g 1:1.2.11.dfsg-1 nginx-light recommends no packages. Versions of packages nginx-light suggests: pn nginx-doc <none> -- no debconf information
