Bug#1138593: (no subject)

Tue, 02 Jun 2026 13:33:14 -0700 

On Sun, May 31, 2026 at 06:31:31PM -0400, Thomas Ward wrote:
>...
> --- nginx-snippets-1.0+nmu1/debian/nginx-snippets.install     2025-04-08 
> 11:17:38.000000000 -0400
> +++ nginx-snippets-1.3~deb13u1/debian/nginx-snippets.install  2026-04-23 
> 16:34:28.000000000 -0400
> @@ -1 +1,2 @@
>  snippets/* /etc/nginx/snippets/
> +conf.d/* /etc/nginx/conf.d/

Why?

>...
> --- nginx-snippets-1.0+nmu1/snippets/tls/tls-intermediate-nodhe.conf  
> 2025-04-08 11:17:38.000000000 -0400
> +++ nginx-snippets-1.3~deb13u1/snippets/tls/tls-intermediate-nodhe.conf       
> 2026-04-23 16:34:01.000000000 -0400
> @@ -1,14 +1,17 @@
>  # Based on Mozilla TLS generator configurations
>  
> -# Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, intermediate config, 
> no HSTS, no OCSP
> +# Mozilla Guideline v6.0, nginx 1.27.3, OpenSSL 3.6.2, intermediate config, 
> no HSTS, no OCSP
>  # last generated/retrieved on 2025-02-22 
>  
> -# intermediate configuration, but DHE-* ciphers and dhparam are removed.
> +# intermediate configuration
>  ssl_protocols TLSv1.2 TLSv1.3;
> -ssl_ecdh_curve X25519:prime256v1:secp384r1;
> +ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
>  ssl_ciphers 
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
>  ssl_prefer_server_ciphers off;
>  
>  # see also ssl_session_ticket_key alternative to stateful session cache
>  ssl_session_timeout 1d;
>  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
> +
> +# Generated through openssl in the postinst script.
> +ssl_dhparam "/etc/nginx/dhparam2048.pem";

Does the last line work in a fresh sid install?

It might be a bug in trixie that even purging the package does not 
remove dhparam2048.pem, which might hide the issue on upgrades
but could after your proposed backport break fresh trixie installs.

>...
> --- nginx-snippets-1.0+nmu1/snippets/tls/tls-modern.conf      2025-04-08 
> 11:17:38.000000000 -0400
> +++ nginx-snippets-1.3~deb13u1/snippets/tls/tls-modern.conf   2026-04-23 
> 16:34:01.000000000 -0400
>...
> -ssl_ecdh_curve X25519:prime256v1:secp384r1;
> +ssl_ecdh_curve ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;;
>...

Is this intentional?

cu
Adrian

Reply via email to