Fabre

#1138179 nginx-snippets in trixie disables post-quantum cryptography #1138179

Package:: nginx-snippets

Source:: nginx-snippets

Submitter:: Gabriel Corona

Date:: 2026-05-28 19:47:02 UTC

Severity:: normal

#1138179#5

Date:: 2026-05-28 19:45:25 UTC

From:

To:

Dear Maintainer,

nginx-snippets contains TLS configuration snippets based on Mozilla
TLS generator. However, while the version of NGINX present in Trixie
supports post quantum cryptography (X25519MLKEM768), these
configuration snippets disable them with this line:

ssl_ecdh_curve X25519:prime256v1:secp384r1;

This configuration reduces the security of the TLS configuration and
makes the hosted applications/sites vulnerable to a potential "Harvest
Now Decrypt Later" attack.

The version in testing/unstable is not affected as it uses:

ssl_ecdh_curve ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;

Regards,

Gabriel

#1138179 nginx-snippets in trixie disables post-quantum cryptography #1138179

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)