You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-1.1.1a-tls13_nginx_config.patch 2.9KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
  1. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  2. index 866ca4dfa9..4654becf1d 100644
  3. --- a/ssl/s3_lib.c
  4. +++ b/ssl/s3_lib.c
  5. @@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
  6. };
  7. /* The list of available TLSv1.3 ciphers */
  8. +/* Since nginx can not set the TLS 1.3 cipher, remove it temporarily. */
  9. static SSL_CIPHER tls13_ciphers[] = {
  10. + {
  11. + 0,
  12. + }
  13. +};
  14. +
  15. +/*
  16. + * The list of available ciphers, mostly organized into the following
  17. + * groups:
  18. + * Always there
  19. + * EC
  20. + * PSK
  21. + * SRP (within that: RSA EC PSK)
  22. + * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
  23. + * Weak ciphers
  24. + */
  25. +static SSL_CIPHER ssl3_ciphers[] = {
  26. + /* TLSv1.3 ciphers */
  27. {
  28. 1,
  29. TLS1_3_RFC_AES_128_GCM_SHA256,
  30. @@ -111,20 +129,8 @@ static SSL_CIPHER tls13_ciphers[] = {
  31. SSL_HANDSHAKE_MAC_SHA256,
  32. 128,
  33. 128,
  34. - }
  35. -};
  36. -
  37. -/*
  38. - * The list of available ciphers, mostly organized into the following
  39. - * groups:
  40. - * Always there
  41. - * EC
  42. - * PSK
  43. - * SRP (within that: RSA EC PSK)
  44. - * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
  45. - * Weak ciphers
  46. - */
  47. -static SSL_CIPHER ssl3_ciphers[] = {
  48. + },
  49. + /* List of cipher below TLSv1.3 */
  50. {
  51. 1,
  52. SSL3_TXT_RSA_NULL_MD5,
  53. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  54. index 14066d0ea4..458b67f383 100644
  55. --- a/ssl/ssl_ciph.c
  56. +++ b/ssl/ssl_ciph.c
  57. @@ -294,6 +294,7 @@ static const SSL_CIPHER cipher_aliases[] = {
  58. {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  59. {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  60. {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
  61. + {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
  62. /* strength classes */
  63. {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
  64. @@ -1538,6 +1539,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  65. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
  66. CIPHER_BUMP, -1, &head, &tail);
  67. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1,
  68. + &head, &tail);
  69. +
  70. /* Now disable everything (maintaining the ordering!) */
  71. ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  72. @@ -1594,15 +1598,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  73. return NULL;
  74. }
  75. - /* Add TLSv1.3 ciphers first - we always prefer those if possible */
  76. - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
  77. - if (!sk_SSL_CIPHER_push(cipherstack,
  78. - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
  79. - sk_SSL_CIPHER_free(cipherstack);
  80. - return NULL;
  81. - }
  82. - }
  83. -
  84. /*
  85. * The cipher selection for the list is done. The ciphers are added
  86. * to the resulting precedence to the STACK_OF(SSL_CIPHER).