openssl-patch/README.md

# openssl-patch

## OpenSSL Equal Preference Patch

### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

## Original Sources
- [OpenSSL Equal Preference Patch](https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E%21) by [BoringSSL](https://github.com/google/boringssl) & [buik](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1)
- [HPACK Patch](https://github.com/cloudflare/sslconfig/blob/master/patches/nginx_1.13.1_http2_hpack.patch) by [Cloudflare](https://github.com/cloudflare/sslconfig)
- [nginx Strict-SNI Patch](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) by [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)
- [OpenSSL OLD-CHACHA20-POLY1305](https://github.com/JemmyLoveJenny/ngx_ossl_patches) by [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)

## Information

- [Test Page - (TLS 1.3 draft 23, 26, 28, final)](https://ssl.hakase.io/)
- [SSL Test Result - testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)
- [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=hakase.io)
- **If you link site to a browser that supports draft 23 or 26 or 28 or final, you'll see a TLS 1.3 message.**

**Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_**

Displays TLSv1.3 support for large sites.

Default support is in bold type.
- [Baidu(China)](https://baidu.cn/) : **TLSv1.2**
- [Naver(Korea)](https://naver.com/) : **TLSv1.2**
- [Twitter](https://twitter.com/) : **TLSv1.2**
- [**My Site**](https://hakase.io/) : _TLSv1.3_ draft 23, 26, 28, **final**
- [Facebook](https://facebook.com/) : _TLSv1.3_ draft 23, 26, 28, **final**
- [Cloudflare](https://cloudflare.com/) : _TLSv1.3_ draft 23, 28, **final**
- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ draft 23, 28, **final**
- [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**

[Compatible OpenSSL-3.0.0-dev (OpenSSL, 23063 commits)](https://github.com/openssl/openssl/tree/3a63dbef15b62b121c5df8762f8cb915fb06b27a)

## Patch files

You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)

Here is the basic patch content.
- Support TLS 1.3 draft 23 + 26 + 28 + final
    - Server: draft 23 + 26 + 28 + final
    - Client: draft 23 + 26 + 27 + 28 + final
- BoringSSL's Equal Preference Patch
- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.

| Patch file name | Patch list |
| :--- | :--- |
| openssl-1.1.1a-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
| openssl-equal-1.1.1a.patch<br>openssl-equal-3.0.0-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-1.1.1a_ciphers.patch<br>openssl-equal-3.0.0-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
| openssl-1.1.1a-chacha_draft.patch<br>openssl-3.0.0-dev-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
| openssl-1.1.1a-tls13_draft.patch | Enable TLS 1.3 draft 23, 26, 28, final. |
| openssl-1.1.1a-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |
| openssl-3.0.0-dev_version_error.patch | **TEST** This is a way to fix nginx when the following errors occur during the build:<br>Error: missing binary operator before token "("<br>Maybe patched: [https://github.com/openssl/openssl/pull/7839](https://github.com/openssl/openssl/pull/7839) |

**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**

Example of setting TLS 1.3 cipher in nginx:

| Example | Ciphers |
| :--- | :--- |
| Short Cipher |  TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20 |
| Fullname Cipher | TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 |
| TLS 1.3 + 1.2 ciphers | TLS13+AESGCM+AES128:EECDH+AES128 |

## Not OpenSSL patch files

| Patch file name | Patch list |
| :--- | :--- |
| nginx_hpack_push.patch | _Patch both_ the HPACK patch and the **PUSH ERROR**. |
| nginx_hpack_push_fix.patch | _Patch only_ the **PUSH ERROR** of the hpack patch. (If the HPACK patch has already been completed) |
| remove_nginx_server_header.patch | Remove nginx server header. (http2, http1.1) |
| nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) |
| nginx_strict-sni.patch | Enable **Strict-SNI**. Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny). [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) |
| nginx_openssl-1.1.x_renegotiation_bugfix.patch | Bugfix **Secure Client-Initiated Renegotiation**. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4<br>[Patched nginx 1.15.5](https://github.com/nginx/nginx/commit/53803b4780be15d8014be183d4161091fd5f3376) |

## How To Use?

### OpenSSL Patch

```
git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch
```

And then use --with-openssl in nginx or build after ./config.

### OpenSSL CHACHA20-POLY1305-OLD Patch

Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)!

[View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) / [Original Source](https://github.com/JemmyLoveJenny/ngx_ossl_patches/blob/master/ossl_enable_chacha20-poly1305-draft.patch)

```
git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch
```

### nginx HPACK Patch

Run it from the nginx directory.

If you **have a** PUSH patch, use it as follows.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_fix.patch | patch -p1 ``

If you **did not** patch PUSH, use it as follows.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1``

And then check the nginx configuration below.

### nginx Remove Server Header Patch

Run it from the nginx directory.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1``

### nginx strict-sni patch

Run it from the nginx directory.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1``

This is a condition for using strict sni. [View issue.](https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427664716)

- How to use nginx strict-sni?
    - **ONLY USE IN http { }**
    - strict_sni : nginx strict-sni ON/OFF toggle option.
    - strict_sni_header : if you do not want to respond to invalid headers. (**only with strict_sni**)
    - Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).
    - It does not matter what kind of certificate or duplicate.

Thanks [@JemmyLoveJenny](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319), [@NewBugger](https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427831677)!

### nginx OpenSSL-1.1.x Renegotiation Bugfix

It has already been patched by nginx >= 1.15.4.

Run it from the nginx directory.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1``

## nginx Configuration

### HPACK Patch

Add configure arguments : ``--with-http_v2_hpack_enc``

### SSL Setting
```
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;
```

### OpenSSL-1.1.1a, 3.0.0-dev ciphers (draft 23, 26, 28, final)
```
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```

### OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers (draft 23, 26, 28, final)
```
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```
Create README.md 2018-04-07 08:19:17 +00:00			`# openssl-patch`

Update README.md 2018-04-22 21:27:43 +00:00			`## OpenSSL Equal Preference Patch`
Update README.md 2018-04-07 08:43:00 +00:00
Add a description for the files. 2018-06-01 04:26:27 +00:00			`### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.`
Fix README.md 2018-05-30 05:45:57 +00:00
Update LICENSE 2018-06-08 17:44:43 +00:00			`## Original Sources`
Fix typo - README.md 2018-06-08 17:45:45 +00:00			`- [OpenSSL Equal Preference Patch](https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E%21) by [BoringSSL](https://github.com/google/boringssl) & [buik](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1)`
Update LICENSE 2018-06-08 17:44:43 +00:00			`- [HPACK Patch](https://github.com/cloudflare/sslconfig/blob/master/patches/nginx_1.13.1_http2_hpack.patch) by [Cloudflare](https://github.com/cloudflare/sslconfig)`
Update README.md 2018-09-15 17:33:44 +00:00			`- [nginx Strict-SNI Patch](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) by [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)`
Fix typo.. 2018-10-11 06:21:17 +00:00			`- [OpenSSL OLD-CHACHA20-POLY1305](https://github.com/JemmyLoveJenny/ngx_ossl_patches) by [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)`
Update LICENSE 2018-06-08 17:44:43 +00:00
			`## Information`

Update pre9, Support TLS 1.3 final version. 2018-08-15 15:54:52 +00:00			`- [Test Page - (TLS 1.3 draft 23, 26, 28, final)](https://ssl.hakase.io/)`
Add result page : ssllabs 2018-06-04 23:05:55 +00:00			`- [SSL Test Result - testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)`
			`- [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=hakase.io)`
Update pre9, Support TLS 1.3 final version. 2018-08-15 15:54:52 +00:00			`- If you link site to a browser that supports draft 23 or 26 or 28 or final, you'll see a TLS 1.3 message.`
Update README.md 2018-05-27 01:08:18 +00:00
Added support TLS 1.3 draft 28 browsers. 2018-06-01 04:33:35 +00:00			`Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_`

Update README.md 2018-08-17 04:15:58 +00:00			`Displays TLSv1.3 support for large sites.`
Update README.md 2018-08-17 04:16:44 +00:00
Update README.md 2018-08-17 04:15:58 +00:00			`Default support is in bold type.`
Add link. 2018-08-22 15:13:33 +00:00			`- [Baidu(China)](https://baidu.cn/) : TLSv1.2`
			`- [Naver(Korea)](https://naver.com/) : TLSv1.2`
			`- [Twitter](https://twitter.com/) : TLSv1.2`
			`- [My Site](https://hakase.io/) : _TLSv1.3_ draft 23, 26, 28, final`
			`- [Facebook](https://facebook.com/) : _TLSv1.3_ draft 23, 26, 28, final`
			`- [Cloudflare](https://cloudflare.com/) : _TLSv1.3_ draft 23, 28, final`
Update README.md 2018-10-03 06:39:58 +00:00			`- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ draft 23, 28, final`
			`- [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ final`
Update README.md 2018-08-17 04:15:58 +00:00
Latest update (1.1.2 -> 3.0.0) 2018-12-06 13:58:50 +00:00			`[Compatible OpenSSL-3.0.0-dev (OpenSSL, 23063 commits)](https://github.com/openssl/openssl/tree/3a63dbef15b62b121c5df8762f8cb915fb06b27a)`
Update README.md 2018-05-09 16:18:49 +00:00
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`## Patch files`
Add a description for the files. 2018-06-01 04:26:27 +00:00
Move openssl-1.1.0h patch information. 2018-06-08 18:04:08 +00:00			`You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)`

Update README.md 2018-06-01 04:30:38 +00:00			`Here is the basic patch content.`
Remove pre-version patch files. 2018-09-13 03:09:47 +00:00			`- Support TLS 1.3 draft 23 + 26 + 28 + final`
			`- Server: draft 23 + 26 + 28 + final`
			`- Client: draft 23 + 26 + 27 + 28 + final`
Add a description for the files. 2018-06-01 04:26:27 +00:00			`- BoringSSL's Equal Preference Patch`
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.`
Add a description for the files. 2018-06-01 04:26:27 +00:00
			`\| Patch file name \| Patch list \|`
Add the pre2 version again. 2018-06-04 23:03:41 +00:00			`\| :--- \| :--- \|`
Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 2018-12-03 10:39:13 +00:00			`\| openssl-1.1.1a-tls13_draft.patch \| Only for TLS 1.3 draft 23, 26, 28, final support patch. \|`
Latest update (1.1.2 -> 3.0.0) 2018-12-06 13:58:50 +00:00			`\| openssl-equal-1.1.1a.patch<br>openssl-equal-3.0.0-dev.patch \| Support final (TLS 1.3), TLS 1.3 cipher settings _can not_ be changed on _nginx_. \|`
			`\| openssl-equal-1.1.1a_ciphers.patch<br>openssl-equal-3.0.0-dev_ciphers.patch \| Support final (TLS 1.3), TLS 1.3 cipher settings _can_ be changed on _nginx_. \|`
			`\| openssl-1.1.1a-chacha_draft.patch<br>openssl-3.0.0-dev-chacha_draft.patch \| A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) \|`
Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 2018-12-03 10:39:13 +00:00			`\| openssl-1.1.1a-tls13_draft.patch \| Enable TLS 1.3 draft 23, 26, 28, final. \|`
			`\| openssl-1.1.1a-tls13_nginx_config.patch \| You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 \|`
Update README.md 2018-12-06 16:44:19 +00:00			`\| openssl-3.0.0-dev_version_error.patch \| TEST This is a way to fix nginx when the following errors occur during the build:<br>Error: missing binary operator before token "("<br>Maybe patched: [https://github.com/openssl/openssl/pull/7839](https://github.com/openssl/openssl/pull/7839) \|`
Update README.md 2018-10-21 11:52:42 +00:00
Update README.md 2018-06-01 04:30:38 +00:00			`The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.`

Remove pre-version patch files. 2018-09-13 03:09:47 +00:00			`Example of setting TLS 1.3 cipher in nginx:`
Add a description for the files. 2018-06-01 04:26:27 +00:00
Update README.md 2018-06-24 12:06:20 +00:00			`\| Example \| Ciphers \|`
Improved readability 2018-06-05 12:50:07 +00:00			`\| :--- \| :--- \|`
Update README.md 2018-06-24 12:06:20 +00:00			`\| Short Cipher \| TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20 \|`
			`\| Fullname Cipher \| TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 \|`
			`\| TLS 1.3 + 1.2 ciphers \| TLS13+AESGCM+AES128:EECDH+AES128 \|`
Improved readability 2018-06-05 12:50:07 +00:00
Add remove server header, Update README.md 2018-06-24 14:31:13 +00:00			`## Not OpenSSL patch files`

			`\| Patch file name \| Patch list \|`
			`\| :--- \| :--- \|`
			`\| nginx_hpack_push.patch \| _Patch both_ the HPACK patch and the PUSH ERROR. \|`
			`\| nginx_hpack_push_fix.patch \| _Patch only_ the PUSH ERROR of the hpack patch. (If the HPACK patch has already been completed) \|`
			`\| remove_nginx_server_header.patch \| Remove nginx server header. (http2, http1.1) \|`
Add HPACK & Remove nginx server header. 2018-09-03 09:56:48 +00:00			`\| nginx_hpack_remove_server_header_1.15.3.patch \| HPACK + Remove nginx server header. (http2, http1.1) \|`
Update README.md 2018-09-15 17:33:44 +00:00			`\| nginx_strict-sni.patch \| Enable Strict-SNI. Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny). [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) \|`
Update README.md 2018-10-03 08:37:08 +00:00			`\| nginx_openssl-1.1.x_renegotiation_bugfix.patch \| Bugfix Secure Client-Initiated Renegotiation. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4<br>[Patched nginx 1.15.5](https://github.com/nginx/nginx/commit/53803b4780be15d8014be183d4161091fd5f3376) \|`
Add remove server header, Update README.md 2018-06-24 14:31:13 +00:00
Update README.md - How to build 2018-06-30 08:08:38 +00:00			`## How To Use?`

			`### OpenSSL Patch`

			```
			`git clone https://github.com/openssl/openssl.git`
			`git clone https://github.com/hakasenyang/openssl-patch.git`
			`cd openssl`
Latest update (1.1.2 -> 3.0.0) 2018-12-06 13:58:50 +00:00			`patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch`
Update README.md - How to build 2018-06-30 08:08:38 +00:00			```

			`And then use --with-openssl in nginx or build after ./config.`

Add support CHACHA20-OLD. Original source by JemmyLoveJenny. Reference : https://github.com/JemmyLoveJenny/ngx_ossl_patches/blob/master/ossl_enable_chacha20-poly1305-draft.patch Issue : https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824 2018-10-06 10:48:18 +00:00			`### OpenSSL CHACHA20-POLY1305-OLD Patch`

			`Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)!`

			`[View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) / [Original Source](https://github.com/JemmyLoveJenny/ngx_ossl_patches/blob/master/ossl_enable_chacha20-poly1305-draft.patch)`

			```
			`git clone https://github.com/openssl/openssl.git`
			`git clone https://github.com/hakasenyang/openssl-patch.git`
			`cd openssl`
Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files. 2018-12-03 10:39:13 +00:00			`patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch`
Add support CHACHA20-OLD. Original source by JemmyLoveJenny. Reference : https://github.com/JemmyLoveJenny/ngx_ossl_patches/blob/master/ossl_enable_chacha20-poly1305-draft.patch Issue : https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824 2018-10-06 10:48:18 +00:00			```

Update README.md - How to build 2018-06-30 08:08:38 +00:00			`### nginx HPACK Patch`

			`Run it from the nginx directory.`

			`If you have a PUSH patch, use it as follows.`

			``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_fix.patch \| patch -p1 ``

			`If you did not patch PUSH, use it as follows.`

			``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch \| patch -p1``

			`And then check the nginx configuration below.`

			`### nginx Remove Server Header Patch`

			`Run it from the nginx directory.`

			``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch \| patch -p1``

Update ignore Strict-SNI log. Add instructions on how to build. 2018-09-15 17:29:55 +00:00			`### nginx strict-sni patch`

			`Run it from the nginx directory.`

			``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch \| patch -p1``

Add comment(strict sni) to README.md 2018-10-07 22:55:07 +00:00			`This is a condition for using strict sni. [View issue.](https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427664716)`
Add comment(strict sni) to README.md 2018-10-07 22:43:53 +00:00
nginx strict sni - Add option strict_sni and strict_sni_header 2018-10-08 19:41:33 +00:00			`- How to use nginx strict-sni?`
			`- ONLY USE IN http { }`
			`- strict_sni : nginx strict-sni ON/OFF toggle option.`
			`- strict_sni_header : if you do not want to respond to invalid headers. (only with strict_sni)`
			`- Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).`
			`- It does not matter what kind of certificate or duplicate.`

			`Thanks [@JemmyLoveJenny](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319), [@NewBugger](https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427831677)!`
Update ignore Strict-SNI log. Add instructions on how to build. 2018-09-15 17:29:55 +00:00
Revert "Not needed patch" This reverts commit 3709ac20f6e89edab496f546192ce59c33807c62. 2018-10-03 06:38:31 +00:00			`### nginx OpenSSL-1.1.x Renegotiation Bugfix`

Latest update (1.1.2 -> 3.0.0) 2018-12-06 13:58:50 +00:00			`It has already been patched by nginx >= 1.15.4.`

Revert "Not needed patch" This reverts commit 3709ac20f6e89edab496f546192ce59c33807c62. 2018-10-03 06:38:31 +00:00			`Run it from the nginx directory.`

			``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch \| patch -p1``

Update README.md 2018-06-08 18:10:20 +00:00			`## nginx Configuration`
Update README and add pre8_ciphers file. 2018-05-30 05:45:05 +00:00
Update README.md 2018-06-08 18:10:20 +00:00			`### HPACK Patch`

Update README.md - How to build 2018-06-30 08:08:38 +00:00			Add configure arguments : ``--with-http_v2_hpack_enc``
Update README.md 2018-06-08 18:10:20 +00:00
			`### SSL Setting`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;`
			`ssl_ciphers [Copy it from below and paste it here.];`
			`ssl_ecdh_curve X25519:P-256:P-384;`
			`ssl_prefer_server_ciphers on;`
			```

Latest update (1.1.2 -> 3.0.0) 2018-12-06 13:58:50 +00:00			`### OpenSSL-1.1.1a, 3.0.0-dev ciphers (draft 23, 26, 28, final)`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```
			`[EECDH+ECDSA+AESGCM+AES128\|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128\|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
			```
Fix ciphers. 2018-05-24 14:01:49 +00:00
Latest update (1.1.2 -> 3.0.0) 2018-12-06 13:58:50 +00:00			`### OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers (draft 23, 26, 28, final)`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`[TLS13+AESGCM+AES128\|TLS13+AESGCM+AES256\|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128\|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128\|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```