Package: nginx-snippets Version: 1.0+nmu1 Fixed: 1.3 Tags: trixie Severity: normal Submitter: Gabriel Corona <[email protected]>
Originally reported to security@ as a 'security issue' but isn't really a Security grade bug. Was emailed individually to me separately from Salvatore in email.
Original report contents are as follows and was originally sent by Gabriel Corona into security@
--- Hi, nginx-snippets contains TLS configuration snippets based on Mozilla TLS generator. However, while the version of NGINX present in Trixie supports post quantum cryptography (X25519MLKEM768), these configuration snippets disable them with this line: ssl_ecdh_curve X25519:prime256v1:secp384r1; This configuration reduces the security of the TLS configuration and makes the hosted applications/sites vulnerable to a potential "Harvest Now Decrypt Later" attack. The version in testing/unstable is not affected as it uses: ssl_ecdh_curve ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1; --- This bug tracks this specific issue for changelogs. Thomas
