Closed isbear closed 3 years ago
Hello,
The same issue for me.
# nginx -V
nginx version: nginx/1.18.0
built with OpenSSL 1.1.0l 10 Sep 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module
# lsb_release -d
Description: Debian GNU/Linux 9.13 (stretch)
# dpkg -l 'nginx-core'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================================================-====================================-====================================-=================================================================================================================================
ii nginx-core 1.18.0-6+deb.sury.org+2+0~20210313.1 amd64 nginx web/proxy server (standard version)
It is intentional, more details are found here: https://github.com/oerdnj/deb.sury.org/issues/1563#issuecomment-804901203 (the whole issue).
Hello.
It seems, that nginx package for stretch is built against distro-provided libssl1.1, which is currently of version 1.1.0l-1~deb9u3. Other distros (and this one previously) were built against libssl1.1 of version 1.1.1+, that has support for tls v1.3.
If this is intentional decision, please ignore this bugreport.
To Reproduce Steps to reproduce the behavior:
curl -v -k --tlsv1.3 https://sitename
Expected behavior
Distribution:
Package(s) (please complete the following information):
Additional context We're building additional module (push-stream) for nginx ourselves, and this triggers our very basic testsuite, that checks three requirements, that were initial cause for us to first build nginx packages ourself, then switch to using yours and only building additional modules: 1) brotli is supported 2) tls v1.3 is supported 3) push-stream is working.