jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Revert "Not needed patch" 

This reverts commit 3709ac20f6.
openssl-1.1.1
Hakase 2018-10-03 15:38:31 +09:00
parent 3709ac20f6
commit 1e709bebf3
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -68,6 +68,7 @@ Example of setting TLS 1.3 cipher in nginx:
| remove_nginx_server_header.patch | Remove nginx server header. (http2, http1.1) |
| nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) |
| nginx_strict-sni.patch | Enable **Strict-SNI**. Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny). [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) |
| nginx_openssl-1.1.x_renegotiation_bugfix.patch | Bugfix **Secure Client-Initiated Renegotiation**. (Check testssl.sh) OpenSSL >= 1.1.1 |
## How To Use?
@ -116,6 +117,12 @@ Finally, build nginx.
Example patch is [here](https://github.com/hakasenyang/nginx-build/blob/master/strict-sni-example.patch). (nginx)
### nginx OpenSSL-1.1.x Renegotiation Bugfix
Run it from the nginx directory.
``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1``
## nginx Configuration
### HPACK Patch

25
nginx_openssl-1.1.x_renegotiation_bugfix.patch Normal file
View File

@ -0,0 +1,25 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 3a0e150d..f080b2d7 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -350,6 +350,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
#endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_RENEGOTIATION);
+#endif
+
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
#endif
@@ -1294,9 +1298,6 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
} else {
SSL_set_accept_state(sc->connection);
-#ifdef SSL_OP_NO_RENEGOTIATION
- SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
-#endif
}
if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {