About Tools Blog
Angelique Dawnbringer

Cloudflare Removed support for TLS 1.3 drafts ?!?

Are you getting SSL-handshake timeouts since last night? Well you are in the same boat as me! Cloudflare seemed to have removed their TLS 1.3 draft 13 en 18 support.

Unfortunately not all OS'es have released full support for OpenSSL 1.1.1 and in my case Nginx!. The trick is to do a recompile of both and start your engines again... but heck it was my birthday... Guess my readers wouldn't mind getting blocked every other request since 3AM. Anyways, disabling TLSv1.3 works as well of course!

Quick Solution

Add the Nginx repo (/etc/apt/sources.list.d/nginx.list)

deb http://nginx.org/packages/debian/ stretch nginx
deb-src http://nginx.org/packages/debian/ stretch nginx

You might, like me, you might run into dh-systemd missing

apt-get install dh-systemd

Add the sid/unstable repo to /etc/apt/sources.list

deb http://deb.debian.org/debian unstable main

Then make sure you have some clean location... 

mkdir /usr/local/src -p && cd /usr/local/src
curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
apt-get update
apt-get install openssl libssl-dev -t unstable -y
apt-get source nginx
tar xf nginx*.gz
cd nginx-*
tar xf ../nginx*.xz

Now we most likely need to do a quick and dirty ignore missing info for ship lib dependencies for nginx_dbg. Edit the debian/rules file and change the dh_shlibdeps line:

dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

Aaaand continue

debuild -uc -us
cd ..
dpkg -i nginx_*.deb

Clean up and don't forget to pin the package(s)!

Package: nginx*
Pin: release *
Pin-Priority: -1

Trace-logs - Rambling in buss incoming! (read lets do some in buss debugging...

Debian SID/Unstable to the Rescue! (or so I thought)

Add the sid/unstable repo to /etc/apt/sources.list

deb http://deb.debian.org/debian experimental main
deb http://deb.debian.org/debian unstable main
apt-get update && apt-get install openssl -t unstable

That should install OpenSSL 1.1.1

angelique@dawnbringer:/etc/letsencrypt/live$ openssl version
OpenSSL 1.1.1  11 Sep 2018

Restart nginx of course just to be on the safe side!

And nope! It doesn't keep stable... Still drops!

Lets rebuild nginx...

Add the Nginx repo (/etc/apt/sources.list.d/nginx.list)

deb http://nginx.org/packages/debian/ stretch nginx
deb-src http://nginx.org/packages/debian/ stretch nginx

apt-get install dh-systemd

Packages are missing some info...It is unstable of course Don't remember if this works, otherwise let's update the build script... #nope it didn't... debian/rules dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

Don't forget to pin package

Package: nginx*
Pin: release *
Pin-Priority: -1
angelique@dawnbringer:/usr/local/src$ nginx -V
nginx version: nginx/1.15.3
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/usr/local/src/nginx-1.15.3=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

One step further... seems to run... lets see if the latest version works with Cloudflare...

Re-enabled config 07:54 time to go to work (scania)

07.56 So far no issues! Rebuilding nginx from source and openssl from sid seems to work!

Will clean up later. For all those that have issues... Just update openssl and rebuild nginx

Author: Angelique Dawnbringer Published: 2018-09-20 06:27:07 Keywords:
  • Common courtesy
  • Cloudflare
  • TLSv1.3
  • OpenSSL1.1.1
  • Nginx
Modified: 2018-09-20 08:12:37