jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update ignore Strict-SNI log. Add instructions on how to build.

openssl-1.1.1
Hakase 2018-09-16 02:29:55 +09:00
parent d4baca8e77
commit 35e8da32b5
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -46,6 +46,7 @@ Here is the basic patch content.
| :--- | :--- |
| openssl-equal-1.1.1.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-1.1.1_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
| openssl_ignore_log_strict-sni.patch | When using nginx_strict-sni.patch, nginx ignores the error in error.log. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421594901) |
**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**
@ -65,6 +66,7 @@ Example of setting TLS 1.3 cipher in nginx:
| nginx_hpack_push_fix.patch | _Patch only_ the **PUSH ERROR** of the hpack patch. (If the HPACK patch has already been completed) |
| remove_nginx_server_header.patch | Remove nginx server header. (http2, http1.1) |
| nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) |
| nginx_strict-sni.patch | Enable **Strict-SNI**. Thanks @JemmyLoveJenny. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) |
## How To Use?
@ -99,6 +101,20 @@ Run it from the nginx directory.
``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1``
### nginx strict-sni patch
Run it from the nginx directory.
``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1``
And then run it from the openssl directory.
``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl_ignore_log_strict-sni.patch | patch -p1``
Finally, build nginx.
Example patch is [here](https://github.com/hakasenyang/nginx-build/blob/master/strict-sni-example.patch). (nginx)
## nginx Configuration
### HPACK Patch

16
openssl_ignore_log_strict-sni.patch Normal file
View File

@ -0,0 +1,16 @@
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 8422161dc1..675446e59f 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -998,7 +998,9 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL:
- SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
+ s->statem.in_init = 1;
+ s->statem.state = MSG_FLOW_ERROR;
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_F_FINAL_RENEGOTIATE);
return 0;
case SSL_TLSEXT_ERR_ALERT_WARNING: