You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Hakase d388292c82
Update README.md
4 days ago
LICENSE Update LICENSE 6 months ago
README.md Update README.md 4 days ago
nginx_hpack_push.patch Some sources were missing. 6 months ago
nginx_hpack_push_1.15.3.patch Push patch compatibility in nginx 1.15.3 3 months ago
nginx_hpack_push_fix.patch Some sources were missing. 6 months ago
nginx_hpack_remove_server_header_1.15.3.patch Add HPACK & Remove nginx server header. 3 months ago
nginx_openssl-1.1.x_renegotiation_bugfix.patch nginx segfault bugfix - https://trac.nginx.org/nginx/ticket/1646 2 months ago
nginx_strict-sni.patch Fix strict-sni bug. 2 months ago
openssl-1.1.1a-chacha_draft.patch Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 1 week ago
openssl-1.1.1a-tls13_draft.patch Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 1 week ago
openssl-1.1.1a-tls13_nginx_config.patch Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 1 week ago
openssl-3.0.0-dev-chacha_draft.patch Latest update (1.1.2 -> 3.0.0) 5 days ago
openssl-3.0.0-dev_version_error.patch Add patch. 5 days ago
openssl-equal-1.1.1a.patch Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 1 week ago
openssl-equal-1.1.1a_ciphers.patch Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 1 week ago
openssl-equal-3.0.0-dev.patch Latest update (1.1.2 -> 3.0.0) 5 days ago
openssl-equal-3.0.0-dev_ciphers.patch Latest update (1.1.2 -> 3.0.0) 5 days ago
remove_nginx_server_header.patch Add remove server header, Update README.md 5 months ago

README.md

openssl-patch

OpenSSL Patch

This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

Original Sources

Information

Support TLS 1.3 draft 28 browsers - Chrome Canary, Firefox Nightly

Displays TLSv1.3 support for large sites.

Default support is in bold type.

Compatible OpenSSL-3.0.0-dev (OpenSSL, 23063 commits)

Patch files

The equal preference patch(openssl-equal-x) already includes the tls13_draft patch and the tls13_nginx_config(_ciphers file only) patch. Therefore, you do not need to patch it together.

You can find the OpenSSL 1.1.0h patch is here.

Here is the basic patch content.

  • Support TLS 1.3 draft 23 + 26 + 28 + final
    • Server: draft 23 + 26 + 28 + final
    • Client: draft 23 + 26 + 27 + 28 + final
  • BoringSSL’s Equal Preference Patch
  • Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
Patch file name Patch list
openssl-1.1.1a-tls13_draft.patch Only for TLS 1.3 draft 23, 26, 28, final support patch.
openssl-equal-1.1.1a.patch
openssl-equal-3.0.0-dev.patch
Support final (TLS 1.3), TLS 1.3 cipher settings can not be changed on nginx.
openssl-equal-1.1.1a_ciphers.patch
openssl-equal-3.0.0-dev_ciphers.patch
Support final (TLS 1.3), TLS 1.3 cipher settings can be changed on nginx.
openssl-1.1.1a-chacha_draft.patch
openssl-3.0.0-dev-chacha_draft.patch
A draft version of chacha20-poly1305 is available. View issue
openssl-1.1.1a-tls13_draft.patch Enable TLS 1.3 draft 23, 26, 28, final.
openssl-1.1.1a-tls13_nginx_config.patch You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128
openssl-3.0.0-dev_version_error.patch TEST This is a way to fix nginx when the following errors occur during the build:
Error: missing binary operator before token “(”
Maybe patched: https://github.com/openssl/openssl/pull/7839
Patched : https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127

The “_ciphers” patch file is a temporary change to the TLS 1.3 configuration.

Example of setting TLS 1.3 cipher in nginx:

Example Ciphers
Short Cipher TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20
Fullname Cipher TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
TLS 1.3 + 1.2 ciphers TLS13+AESGCM+AES128:EECDH+AES128

Not OpenSSL patch files

Patch file name Patch list
nginx_hpack_push.patch Patch both the HPACK patch and the PUSH ERROR.
nginx_hpack_push_fix.patch Patch only the PUSH ERROR of the hpack patch. (If the HPACK patch has already been completed)
remove_nginx_server_header.patch Remove nginx server header. (http2, http1.1)
nginx_hpack_remove_server_header_1.15.3.patch HPACK + Remove nginx server header. (http2, http1.1)
nginx_strict-sni.patch Enable Strict-SNI. Thanks @JemmyLoveJenny. View issue
nginx_openssl-1.1.x_renegotiation_bugfix.patch Bugfix Secure Client-Initiated Renegotiation. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4
Patched nginx 1.15.5

How To Use?

OpenSSL Patch

git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch

And then use --with-openssl in nginx or build after ./config.

OpenSSL CHACHA20-POLY1305-OLD Patch

Thanks @JemmyLoveJenny!

View issue / Original Source

git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch

nginx HPACK Patch

Run it from the nginx directory.

If you have a PUSH patch, use it as follows.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_fix.patch | patch -p1

If you did not patch PUSH, use it as follows.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1

And then check the nginx configuration below.

nginx Remove Server Header Patch

Run it from the nginx directory.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1

nginx strict-sni patch

Run it from the nginx directory.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1

This is a condition for using strict sni. View issue.

  • How to use nginx strict-sni?
    • ONLY USE IN http { }
    • strict_sni : nginx strict-sni ON/OFF toggle option.
    • strict_sni_header : if you do not want to respond to invalid headers. (only with strict_sni)
    • Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).
    • It does not matter what kind of certificate or duplicate.

Thanks @JemmyLoveJenny, @NewBugger!

nginx OpenSSL-1.1.x Renegotiation Bugfix

It has already been patched by nginx >= 1.15.4.

Run it from the nginx directory.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1

nginx Configuration

HPACK Patch

Add configure arguments : --with-http_v2_hpack_enc

SSL Setting

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;

OpenSSL-1.1.1a, 3.0.0-dev ciphers (draft 23, 26, 28, final)

[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES

OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers (draft 23, 26, 28, final)

[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES