openssl-patch/README.md

# openssl-patch

## OpenSSL Equal Preference Patch

### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

- [Test Page - (TLS 1.3 draft 23, 28)](https://ssl.hakase.io/)
- [SSL Test Result - testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)
- [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=hakase.io)
- **If you link site to a browser that supports draft 23 or 28, you'll see a TLS 1.3 message.**

**Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_**

**Latest patch : openssl-equal-pre8.patch, openssl-equal-pre8_ciphers.patch**

[View Tree (OpenSSL)](https://github.com/openssl/openssl/tree/5eb774324a14b03835020bb3ae2e1c6c92515db0)

[Original source](https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E%21) by [BoringSSL](https://github.com/google/boringssl) & [buik](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)

OpenSSL 1.1.0h patch is [here](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)

## Patch files

Here is the basic patch content.
- Support TLS 1.3 draft 23 + 28 (Not support pre2)
    - Server: draft 23 + 28
    - Client: draft 23 + 26 + 27 + 28
- BoringSSL's Equal Preference Patch
- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.

| Patch file name | Patch list |
| :--- | :--- |
| openssl-equal-pre2.patch | **_Not support_** draft **28**. |
| openssl-equal-pre7.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-pre7_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
| openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |

**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**

Example of setting TLS 1.3 cipher in nginx (pre7 or higher):
- ex 1. TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20
- ex 2. TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
- ex 3. TLS13+AESGCM+AES128:EECDH+AES128 (TLS 1.3 + TLS 1.2 ciphers)

## nginx Configuration (ssl_ciphers)

### Default settings
```
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;
```

### OpenSSL-1.1.1-pre2 ciphers (draft 23)
```
[TLS13-AES-128-GCM-SHA256|TLS13-AES-256-GCM-SHA384|TLS13-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```

### OpenSSL-1.1.1-pre7, pre8 ciphers (draft 23, 28)
```
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```

### OpenSSL-1.1.1-pre7_ciphers, pre8_ciphers ciphers (draft 23, 28)
```
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```
Create README.md 2018-04-07 08:19:17 +00:00			`# openssl-patch`

Update README.md 2018-04-22 21:27:43 +00:00			`## OpenSSL Equal Preference Patch`
Update README.md 2018-04-07 08:43:00 +00:00
Add a description for the files. 2018-06-01 04:26:27 +00:00			`### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.`
Fix README.md 2018-05-30 05:45:57 +00:00
Add a description for the files. 2018-06-01 04:26:27 +00:00			`- [Test Page - (TLS 1.3 draft 23, 28)](https://ssl.hakase.io/)`
Add result page : ssllabs 2018-06-04 23:05:55 +00:00			`- [SSL Test Result - testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)`
			`- [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=hakase.io)`
Add a description for the files. 2018-06-01 04:26:27 +00:00			`- If you link site to a browser that supports draft 23 or 28, you'll see a TLS 1.3 message.`
Update README.md 2018-05-27 01:08:18 +00:00
Added support TLS 1.3 draft 28 browsers. 2018-06-01 04:33:35 +00:00			`Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_`

Update pre8 patch 2018-05-30 09:45:34 +00:00			`Latest patch : openssl-equal-pre8.patch, openssl-equal-pre8_ciphers.patch`
Update README.md 2018-05-28 05:08:39 +00:00
Update README.md 2018-06-01 04:30:38 +00:00			`[View Tree (OpenSSL)](https://github.com/openssl/openssl/tree/5eb774324a14b03835020bb3ae2e1c6c92515db0)`
Fix README.md 2018-05-30 05:45:57 +00:00
Update README.md 2018-06-01 04:30:38 +00:00			`[Original source](https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E%21) by [BoringSSL](https://github.com/google/boringssl) & [buik](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)`
업데이트 'README.md' 2018-05-09 16:17:50 +00:00
Typo openssl version 2018-05-24 21:14:53 +00:00			`OpenSSL 1.1.0h patch is [here](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)`
Update README.md 2018-05-09 16:18:49 +00:00
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`## Patch files`
Add a description for the files. 2018-06-01 04:26:27 +00:00
Update README.md 2018-06-01 04:30:38 +00:00			`Here is the basic patch content.`
Add the pre2 version again. 2018-06-04 23:03:41 +00:00			`- Support TLS 1.3 draft 23 + 28 (Not support pre2)`
Add a description for the files. 2018-06-01 04:26:27 +00:00			`- Server: draft 23 + 28`
			`- Client: draft 23 + 26 + 27 + 28`
			`- BoringSSL's Equal Preference Patch`
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.`
Add a description for the files. 2018-06-01 04:26:27 +00:00
			`\| Patch file name \| Patch list \|`
Add the pre2 version again. 2018-06-04 23:03:41 +00:00			`\| :--- \| :--- \|`
			`\| openssl-equal-pre2.patch \| _Not support_ draft 28. \|`
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`\| openssl-equal-pre7.patch \| TLS 1.3 cipher settings _can not_ be changed on _nginx_. \|`
			`\| openssl-equal-pre7_ciphers.patch \| TLS 1.3 cipher settings _can_ be changed on _nginx_. \|`
Add a description for the files. 2018-06-01 04:26:27 +00:00			`\| openssl-equal-pre8.patch \| TLS 1.3 cipher settings _can not_ be changed on _nginx_. \|`
			`\| openssl-equal-pre8_ciphers.patch \| TLS 1.3 cipher settings _can_ be changed on _nginx_. \|`

Update README.md 2018-06-01 04:30:38 +00:00			`The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.`

Add the pre2 version again. 2018-06-04 23:03:41 +00:00			`Example of setting TLS 1.3 cipher in nginx (pre7 or higher):`
Add a description for the files. 2018-06-01 04:26:27 +00:00			`- ex 1. TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20`
			`- ex 2. TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256`
			`- ex 3. TLS13+AESGCM+AES128:EECDH+AES128 (TLS 1.3 + TLS 1.2 ciphers)`

Update README and add pre8_ciphers file. 2018-05-30 05:45:05 +00:00			`## nginx Configuration (ssl_ciphers)`

Add a description for the files. 2018-06-01 04:26:27 +00:00			`### Default settings`
			```
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;`
			`ssl_ciphers [Copy it from below and paste it here.];`
			`ssl_ecdh_curve X25519:P-256:P-384;`
			`ssl_prefer_server_ciphers on;`
			```

Add the pre2 version again. 2018-06-04 23:03:41 +00:00			`### OpenSSL-1.1.1-pre2 ciphers (draft 23)`
			```
			`[TLS13-AES-128-GCM-SHA256\|TLS13-AES-256-GCM-SHA384\|TLS13-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128\|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128\|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
			```

Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`### OpenSSL-1.1.1-pre7, pre8 ciphers (draft 23, 28)`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```
			`[EECDH+ECDSA+AESGCM+AES128\|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128\|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
			```
Fix ciphers. 2018-05-24 14:01:49 +00:00
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`### OpenSSL-1.1.1-pre7_ciphers, pre8_ciphers ciphers (draft 23, 28)`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```
Update files - Remove pre2, pre6 and Update pre7. 2018-06-04 22:48:56 +00:00			`[TLS13+AESGCM+AES128\|TLS13+AESGCM+AES256\|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128\|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128\|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
Add a description for the files. 2018-06-01 04:26:27 +00:00			```