Updated to Debian Buster

Table Of Contents

Today I found out that my site was not served via TLS v1.3 even if I configured ssl_protocols TLSv1.2 TLSv1.3 in my /etc/nginx/nginx.conf. I googled and found that Tls v1.3 support has been started since openssl v1.1.11. Then I found a solution from this blog post2. Learned a lot about apt source. But to do this I need update openssl to v1.1.1. On Debian Stretch it's v1.1.0. Considering Debian Buster will be released in the near future3, I decided to update to Debian Buster to adapt to the release in advance while updating the openssl as well.

Update To Debian Buster

/etc/apt/sources.list:

deb http://debian-mirror.westus.cloudapp.azure.com/debian/ buster main
deb-src http://debian-mirror.westus.cloudapp.azure.com/debian/ buster main

deb http://security.debian.org/ buster/updates main
deb-src http://security.debian.org/ buster/updates main

deb http://debian-mirror.westus.cloudapp.azure.com/debian/ buster-backports main

deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx

deb http://debian-mirror.westus.cloudapp.azure.com/debian/ buster-updates main
deb-src http://debian-mirror.westus.cloudapp.azure.com/debian/ buster-updates main

In the configuration file above I replaced stretch with buster, it's allowed 'cause certain directories like http://debian-mirror.westus.cloudapp.azure.com/debian/dists/buster-updates/ exists. I didn't change stretch in the nginx lines, cause there's no directory calledbusterinhttp://nginx.org/packages/mainline/debian/dists/`, guess they will do it once the Buster releases?

In my case I found files in /etc/apt/sources.list.d/ too so I did similar changes there.

Then upgrade:

sim@server:~$ sudo apt update && sudo apt upgrade && sudo apt dist-upgrade

Answer to the prompts in the process. Then it's done.

Recompile Nginx With TLSv1.3 support

I guess when Buster is released then it will be officially supported in Nginx's Buster repository? So this information will be outdated once we can use the Buster repository in Nginx.

sim@server:~$ sudo apt source nginx

Since I run it through non-root, so the xz and gz will be automatically uncompressed into the current working directory. If I run it through root, additional actions tar xf nginx*.gz && tar xf nginx*.xz are required.

Go into the directory:

sim@server:~$ cd nginx-*

Install the needed packages4:

sim@server:~/nginx-1.17.0$ sudo apt install dh-systemd quilt libssl-dev libpcre3-dev zlib1g-dev devscripts build-essential lintian

Then do a quick and dirty ignore missing info for ship lib dependencies for nginx_dbg. Edit the debian/rules file and change the dh_shlibdeps line:

dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

IN the same file, add the following argument after CFLAGS=...--with-ld-opt="$(LDFLAGS)":

--with-openssl-opt=enable-tls1_3

Install:

sim@server:~/nginx-1.17.0$ debuild -uc -us && cd .. && sudo dpkg -i nginx_*.deb

Then pin the package in /etc/apt/preferences:

Package: nginx*
Pin: release *
Pin-Priority: -1

The result:

sim@server:~$ sudo nginx -V
nginx version: nginx/1.17.0
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1c  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/root/nginx-1.17.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --with-openssl-opt=enable-tls1_3

Now when I TLS v1.3 is supported on my site:

sim@server:~$ curl -v https://www.snorl.ax/
...
* Connected to www.snorl.ax (103.86.70.71) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
...

Dovecot: dh key too small

Upon update, I can't log in to my imap anymore with the following log:

Jun 17 06:37:01 server dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=*.*.*.*, lip=*.*.*.*, session=<eUofjH2LSO2wer5W>

It's because from version 2.3 I must specify path to DH parameters file using5:

ssl_dh=</path/to/dh.pem

So to resolve this:

sim@server:~$ su
root@server:~$ openssl dhparam 4096 > /var/mail/dh.pem

In /etc/dovecot/conf.d/10-ssl.conf, specidy this:

...
ssl_dh=</var/mail/dh.pem
...

Specifying this is recommended as well:

...
ssl_prefer_server_ciphers=yes
...

Then restart:

root@server:~$ systemctl restart dovecot

Now I'm able to log in to my imap again.