OpenSSL 1.1 ChaCha20-Poly1305 HTTP2 Nginx and ALPN

It has been a while since OpenSSL 1.1 was released yet so very few are actually using it. It is actually quite easy to update your entire stack to run the latest versions or at least rebuild the most important parts of it.

With the release of OpenSSL 1.1, a lot of unsafe features have been removed plus it added ChaCha20-Poly1305 to the mix. Also NPN was removed from for example chrome and one would need ALPN-support to deliver HTTP2.

Instructions

Debian 9

Make sure you don't install nginx (OpenSSL 1.0.2-t) stretch (/etc/apt/preferences)

Package: *
Pin: release n=stretch
Pin-Priority: 900

Package: * 
Pin: release a=stretch-backports
Pin-Priority: 500

Package: nginx*
Pin: release *
Pin-Priority: -1

Add the Nginx repo (/etc/apt/sources.list.d/nginx.list)

deb http://nginx.org/packages/debian/ stretch nginx
deb-src http://nginx.org/packages/debian/ stretch nginx

Run:

mkdir /usr/local/src -p && cd /usr/local/src
curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
apt-get update
apt-get install openssl libssl-dev -y
apt-get source nginx
tar xf nginx*.gz
cd nginx-*
tar xf ../nginx*.xz
debuild -uc -us
cd ..
dpkg -i nginx_*.deb

All done!

Debian 8

Add the stretch repository to your system (/etc/apt/sources.list.d/stretch.list)

deb http://httpredir.debian.org/debian/ stretch main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free

Make sure you only install necessary packages from stretch(/etc/apt/preferences)

Package: *
Pin: release n=jessie
Pin-Priority: 900

Package: * 
Pin: release a=jessie-backports
Pin-Priority: 500

Package: *
Pin: release n=stretch
Pin-Priority: 100

Add the Nginx repo (/etc/apt/sources.list.d/nginx.list)

deb http://nginx.org/packages/debian/ jessie nginx
deb-src http://nginx.org/packages/debian/ jessie nginx

Run:

mkdir /usr/local/src -p && cd /usr/local/src
curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
apt-get update
apt-get install openssl libssl-dev -t stretch -y
apt-get source nginx
tar xf nginx*.gz
cd nginx*
tar xf ../nginx*.xz
debuild -uc -us
cd ..
dpkg -i nginx_*.deb

There you go! This should give you a HTTP2 webserver using the latest crypto! You might want to add some extra package pinning so your automatic updates don't ruin the fun by overwriting your nginx packages etc.

Now go configure your webserver to only use the latest and highest cryptography... This will of course break a lot of services so be careful and respect your audience.