2018-04-07 08:19:17 +00:00
|
|
|
# openssl-patch
|
|
|
|
|
|
2018-04-22 21:27:43 +00:00
|
|
|
## OpenSSL Equal Preference Patch
|
2018-04-07 08:43:00 +00:00
|
|
|
|
2018-06-01 04:26:27 +00:00
|
|
|
### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.
|
2018-05-30 05:45:57 +00:00
|
|
|
|
2018-06-01 04:26:27 +00:00
|
|
|
- [Test Page - (TLS 1.3 draft 23, 28)](https://ssl.hakase.io/)
|
|
|
|
|
- [Result check testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)
|
|
|
|
|
- **If you link site to a browser that supports draft 23 or 28, you'll see a TLS 1.3 message.**
|
2018-05-27 01:08:18 +00:00
|
|
|
|
2018-06-01 04:33:35 +00:00
|
|
|
**Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_**
|
|
|
|
|
|
2018-05-30 09:45:34 +00:00
|
|
|
**Latest patch : openssl-equal-pre8.patch, openssl-equal-pre8_ciphers.patch**
|
2018-05-28 05:08:39 +00:00
|
|
|
|
2018-06-01 04:30:38 +00:00
|
|
|
[View Tree (OpenSSL)](https://github.com/openssl/openssl/tree/5eb774324a14b03835020bb3ae2e1c6c92515db0)
|
2018-05-30 05:45:57 +00:00
|
|
|
|
2018-06-01 04:30:38 +00:00
|
|
|
[Original source](https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E%21) by [BoringSSL](https://github.com/google/boringssl) & [buik](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
|
2018-05-09 16:17:50 +00:00
|
|
|
|
2018-05-24 21:14:53 +00:00
|
|
|
OpenSSL 1.1.0h patch is [here](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
|
2018-05-09 16:18:49 +00:00
|
|
|
|
2018-06-01 04:26:27 +00:00
|
|
|
## pre6, pre7 Patch files
|
2018-05-30 05:45:57 +00:00
|
|
|
|
2018-06-01 04:26:27 +00:00
|
|
|
**Patches for BoringSSL's Equal Preference Patch are included by default.**
|
2018-05-30 05:45:05 +00:00
|
|
|
|
2018-06-01 04:26:27 +00:00
|
|
|
| Patch file name | Patch list |
|
|
|
|
|
| :--- | :--- |
|
2018-06-02 00:58:53 +00:00
|
|
|
| openssl-equal-pre6.patch | _Support_ **draft 26**, _Not support_ **draft 28** |
|
|
|
|
|
| openssl-equal-pre7.patch | [Patch files prior to this patch](https://github.com/openssl/openssl/commit/73cc84a132a08a02253ae168600fc4d16cd400d8), _Support_ **draft 26** |
|
|
|
|
|
| openssl-equal-pre7-draft28.patch | [Patch files after this patch](https://github.com/openssl/openssl/commit/73cc84a132a08a02253ae168600fc4d16cd400d8), _Support_ **draft 26~28** |
|
2018-06-01 04:26:27 +00:00
|
|
|
| openssl-equal-pre7-draft23_28.patch | Final (pre7 release), _Support_ **draft 23, 28** |
|
|
|
|
|
|
|
|
|
|
## pre8 Patch files
|
|
|
|
|
|
2018-06-01 04:30:38 +00:00
|
|
|
Here is the basic patch content.
|
2018-06-01 04:26:27 +00:00
|
|
|
- Support TLS 1.3 draft 23 + 28
|
|
|
|
|
- Server: draft 23 + 28
|
|
|
|
|
- Client: draft 23 + 26 + 27 + 28
|
|
|
|
|
- BoringSSL's Equal Preference Patch
|
|
|
|
|
|
|
|
|
|
| Patch file name | Patch list |
|
|
|
|
|
| :--- | :--- |
|
|
|
|
|
| openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
|
|
|
|
|
| openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
|
|
|
|
|
|
2018-06-01 04:30:38 +00:00
|
|
|
**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**
|
|
|
|
|
|
|
|
|
|
Example of setting TLS 1.3 cipher in nginx:
|
2018-06-01 04:26:27 +00:00
|
|
|
- ex 1. TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20
|
|
|
|
|
- ex 2. TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
|
- ex 3. TLS13+AESGCM+AES128:EECDH+AES128 (TLS 1.3 + TLS 1.2 ciphers)
|
|
|
|
|
|
2018-05-30 05:45:05 +00:00
|
|
|
## nginx Configuration (ssl_ciphers)
|
|
|
|
|
|
2018-06-01 04:26:27 +00:00
|
|
|
### Default settings
|
|
|
|
|
```
|
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
|
|
ssl_ciphers [Copy it from below and paste it here.];
|
|
|
|
|
ssl_ecdh_curve X25519:P-256:P-384;
|
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
```
|
|
|
|
|
|
2018-05-02 04:07:38 +00:00
|
|
|
### OpenSSL-1.1.1-pre2 ciphers (draft 23)
|
2018-06-01 04:26:27 +00:00
|
|
|
```
|
|
|
|
|
[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256]:TLS13-AES-256-GCM-SHA384:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
|
|
|
|
```
|
2018-04-07 15:35:45 +00:00
|
|
|
|
2018-05-24 14:01:49 +00:00
|
|
|
### OpenSSL-1.1.1-pre6~pre7 ciphers (draft 26 ~ 28)
|
2018-06-01 04:26:27 +00:00
|
|
|
```
|
|
|
|
|
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
|
|
|
|
```
|
2018-05-24 14:01:49 +00:00
|
|
|
|
2018-05-29 21:39:09 +00:00
|
|
|
### OpenSSL-1.1.1-pre7-draft23_28, pre8 ciphers (draft 23, 28)
|
2018-06-01 04:26:27 +00:00
|
|
|
```
|
|
|
|
|
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA
|
|
|
|
|
```
|
2018-05-30 05:45:05 +00:00
|
|
|
|
2018-06-01 04:30:38 +00:00
|
|
|
### OpenSSL-1.1.1-pre8_ciphers ciphers (Latest, draft 23, 28)
|
2018-06-01 04:26:27 +00:00
|
|
|
```
|
|
|
|
|
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA
|
|
|
|
|
```
|
