[nginx] Stretch package seems to be built against libssl1.1.0

[isbear]

Hello.

It seems, that nginx package for stretch is built against distro-provided libssl1.1, which is currently of version 1.1.0l-1~deb9u3. Other distros (and this one previously) were built against libssl1.1 of version 1.1.1+, that has support for tls v1.3.

If this is intentional decision, please ignore this bugreport.

To Reproduce Steps to reproduce the behavior:

1. Set up basic nginx site.
2. curl -v -k --tlsv1.3 https://sitename
3. The error is:

   * TLSv1.3 (OUT), TLS handshake, Client hello (1):
   * TLSv1.3 (IN), TLS alert, handshake failure (552):
   * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Expected behavior

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):

Distribution:

• OS: Debian Stretch
• Architecture: amd64
• Repository: packages.sury.org

Package(s) (please complete the following information):

nginx-full:
  Installed: 1.18.0-6+deb.sury.org+2+0~20210313.16+debian9~1.gbpe79184
  Candidate: 1.18.0-6+deb.sury.org+2+0~20210313.16+debian9~1.gbpe79184
  Version table:
 *** 1.18.0-6+deb.sury.org+2+0~20210313.16+debian9~1.gbpe79184 500
        500 https://packages.sury.org/nginx stretch/main amd64 Packages
        100 /var/lib/dpkg/status
     1.14.1-1~bpo9+1 100
        100 http://deb.debian.org/debian stretch-backports/main amd64 Packages
     1.10.3-1+deb9u5 500
        500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
     1.10.3-1+deb9u4 500
        500 http://deb.debian.org/debian stretch/main amd64 Packages

Additional context We're building additional module (push-stream) for nginx ourselves, and this triggers our very basic testsuite, that checks three requirements, that were initial cause for us to first build nginx packages ourself, then switch to using yours and only building additional modules: 1) brotli is supported 2) tls v1.3 is supported 3) push-stream is working.

[d-sergienko]

Hello,

The same issue for me.

# nginx -V
nginx version: nginx/1.18.0
built with OpenSSL 1.1.0l  10 Sep 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

# lsb_release -d
Description:    Debian GNU/Linux 9.13 (stretch)

# dpkg -l 'nginx-core'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                                           Version                              Architecture                         Description
+++-==============================================================-====================================-====================================-=================================================================================================================================
ii  nginx-core                                                     1.18.0-6+deb.sury.org+2+0~20210313.1 amd64                                nginx web/proxy server (standard version)

[oerdnj]

It is intentional, more details are found here: https://github.com/oerdnj/deb.sury.org/issues/1563#issuecomment-804901203 (the whole issue).