From 8637d35f9250da84cf0279f710cb95190c4dd581 Mon Sep 17 00:00:00 2001
From: Hakase <hakase@hakase.app>
Date: Fri, 1 Jun 2018 13:26:27 +0900
Subject: [PATCH] Add a description for the files.

---
 README.md | 63 ++++++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 53 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 1eb26c1..154c16f 100644
--- a/README.md
+++ b/README.md
@@ -2,9 +2,11 @@
 
 ## OpenSSL Equal Preference Patch
 
-[Test Page - (TLS 1.3 draft 23, 28)](https://ssl.hakase.io/)
+### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.
 
-**If you link site to a browser that supports draft 23 or 28, you'll see a TLS 1.3 message.**
+- [Test Page - (TLS 1.3 draft 23, 28)](https://ssl.hakase.io/)
+- [Result check testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)
+- **If you link site to a browser that supports draft 23 or 28, you'll see a TLS 1.3 message.**
 
 **Latest patch : openssl-equal-pre8.patch, openssl-equal-pre8_ciphers.patch**
 
@@ -14,24 +16,65 @@
 
 OpenSSL 1.1.0h patch is [here](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
 
-## pre8 File
 
-openssl-equal-pre8.patch : TLS 1.3 cipher settings can not be changed on nginx.
+## pre6, pre7 Patch files
 
-openssl-equal-pre8_ciphers.patch : TLS 1.3 cipher settings can be changed on nginx. (ex. TLS13+AESGCM+AES128:TLS13+AESGCM+AES256)
+**Patches for BoringSSL's Equal Preference Patch are included by default.**
 
-The _ciphers patch file is a temporary change to the TLS 1.3 configuration.
+| Patch file name | Patch list |
+| :--- |  :--- |
+| openssl-equal-pre6.patch | _Support_ **draft 23**, _Not support_ **draft 28** |
+| openssl-equal-pre7.patch | [Patch files prior to this patch](https://github.com/openssl/openssl/commit/73cc84a132a08a02253ae168600fc4d16cd400d8), _Not support_ **draft 28** |
+| openssl-equal-pre7-draft28.patch | [Patch files after this patch](https://github.com/openssl/openssl/commit/73cc84a132a08a02253ae168600fc4d16cd400d8), _Not support_ **draft 23** |
+| openssl-equal-pre7-draft23_28.patch | Final (pre7 release), _Support_ **draft 23, 28** |
+
+## pre8 Patch files
+
+Here is the basic patch content
+- Support TLS 1.3 draft 23 + 28
+    - Server: draft 23 + 28
+    - Client: draft 23 + 26 + 27 + 28
+- BoringSSL's Equal Preference Patch
+
+| Patch file name | Patch list |
+| :--- |  :--- |
+| openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
+| openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
+
+Support set TLS 1.3 cipher in nginx
+- ex 1. TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20
+- ex 2. TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+- ex 3. TLS13+AESGCM+AES128:EECDH+AES128 (TLS 1.3 + TLS 1.2 ciphers)
+
+**The _ciphers patch file is a temporary change to the TLS 1.3 configuration.**
 
 ## nginx Configuration (ssl_ciphers)
 
+### Default settings
+```
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers [Copy it from below and paste it here.];
+ssl_ecdh_curve X25519:P-256:P-384;
+ssl_prefer_server_ciphers on;
+```
+
 ### OpenSSL-1.1.1-pre2 ciphers (draft 23)
-`[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256]:TLS13-AES-256-GCM-SHA384:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
+```
+[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256]:TLS13-AES-256-GCM-SHA384:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
+```
 
 ### OpenSSL-1.1.1-pre6~pre7 ciphers (draft 26 ~ 28)
-`[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES`
+```
+[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
+```
 
 ### OpenSSL-1.1.1-pre7-draft23_28, pre8 ciphers (draft 23, 28)
-`[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA`
+```
+[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA
+```
 
 ### OpenSSL-1.1.1-pre8_ciphers ciphers (draft 23, 28)
-`[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA`
+```
+[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA
+```
+