diff --git a/README.md b/README.md
index dbb2cdd..6926d72 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ Here is the basic patch content.
| Patch file name | Patch list |
| :--- | :--- |
+| openssl-1.1.1-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
| openssl-equal-1.1.1.patch
openssl-equal-1.1.2-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-1.1.1_ciphers.patch
openssl-equal-1.1.2-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
| openssl-1.1.1-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
diff --git a/openssl-1.1.1-tls13_draft.patch b/openssl-1.1.1-tls13_draft.patch
new file mode 100644
index 0000000..09870ef
--- /dev/null
+++ b/openssl-1.1.1-tls13_draft.patch
@@ -0,0 +1,227 @@
+diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
+index 0a18a43544..c31597584b 100644
+--- a/include/openssl/ssl.h
++++ b/include/openssl/ssl.h
+@@ -173,12 +173,12 @@ extern "C" {
+ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+ /* This is the default set of TLSv1.3 ciphersuites */
+ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
+ "TLS_CHACHA20_POLY1305_SHA256:" \
+- "TLS_AES_128_GCM_SHA256"
++ "TLS_AES_256_GCM_SHA384"
+ # else
+-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+- "TLS_AES_128_GCM_SHA256"
++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
++ "TLS_AES_256_GCM_SHA384"
+ #endif
+ /*
+ * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
+index 2e46cf80d3..0accc837a3 100644
+--- a/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
+@@ -30,6 +30,16 @@ extern "C" {
+ # define TLS1_3_VERSION 0x0304
+ # define TLS_MAX_VERSION TLS1_3_VERSION
+
++/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
++# define TLS1_3_VERSION_DRAFT_23 0x7f17
++# define TLS1_3_VERSION_DRAFT_26 0x7f1a
++# define TLS1_3_VERSION_DRAFT_27 0x7f1b
++# define TLS1_3_VERSION_DRAFT 0x7f1c
++# define TLS1_3_VERSION_DRAFT_TXT_23 "TLS 1.3 (draft 23)"
++# define TLS1_3_VERSION_DRAFT_TXT_26 "TLS 1.3 (draft 26)"
++# define TLS1_3_VERSION_DRAFT_TXT_27 "TLS 1.3 (draft 27)"
++# define TLS1_3_VERSION_DRAFT_TXT "TLS 1.3 (draft 28)"
++
+ /* Special value for method supporting multiple versions */
+ # define TLS_ANY_VERSION 0x10000
+
+diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
+index a11ed483e6..4fd583dd03 100644
+--- a/ssl/record/ssl3_record_tls13.c
++++ b/ssl/record/ssl3_record_tls13.c
+@@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
+ if (((alg_enc & SSL_AESCCM) != 0
+ && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
+ (unsigned int)rec->length) <= 0)
+- || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
+- sizeof(recheader)) <= 0
++ || (s->version_draft != TLS1_3_VERSION_DRAFT_23
++ && EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
++ sizeof(recheader)) <= 0)
+ || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
+ (unsigned int)rec->length) <= 0
+ || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index e8819e7a28..9afa488822 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -1074,6 +1111,8 @@ struct ssl_st {
+ * DTLS1_VERSION)
+ */
+ int version;
++ /* TODO(TLS1.3): Remove this before release */
++ int version_draft;
+ /* SSLv3 */
+ const SSL_METHOD *method;
+ /*
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 4b5e6fe2b8..99981c9e37 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
+ return EXT_RETURN_FAIL;
+ }
+
++ /*
++ * TODO(TLS1.3): There is some discussion on the TLS list as to whether
++ * we should include versions = min_version; currv--) {
+- if (!WPACKET_put_bytes_u16(pkt, currv)) {
++ /* TODO(TLS1.3): Remove this first if clause prior to release!! */
++ if (currv == TLS1_3_VERSION) {
++ if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
++ || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
++ || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)
++ || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)
++ || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_23)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
++ SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
++ ERR_R_INTERNAL_ERROR);
++ return EXT_RETURN_FAIL;
++ }
++ } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
+ ERR_R_INTERNAL_ERROR);
+@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
+ return 0;
+ }
+
++ /* TODO(TLS1.3): Remove this before release */
++ if (version == TLS1_3_VERSION_DRAFT
++ || version == TLS1_3_VERSION_DRAFT_27
++ || version == TLS1_3_VERSION_DRAFT_26
++ || version == TLS1_3_VERSION_DRAFT_23) {
++ s->version_draft = version;
++ version = TLS1_3_VERSION;
++ }
++
+ /*
+ * The only protocol version we support which is valid in this extension in
+ * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 0f2b22392b..6c1ce9813f 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ }
+ if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
+ || !WPACKET_start_sub_packet_u16(&hrrpkt)
+- || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
++ /* TODO(TLS1.3): Fix this before release */
++ || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
+ || !WPACKET_close(&hrrpkt)) {
+ WPACKET_cleanup(&hrrpkt);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+@@ -1652,7 +1653,8 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
+ || !WPACKET_start_sub_packet_u16(pkt)
+- || !WPACKET_put_bytes_u16(pkt, s->version)
++ /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
++ || !WPACKET_put_bytes_u16(pkt, s->version_draft)
+ || !WPACKET_close(pkt)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index 508bb88767..ee927baf64 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -1753,6 +1753,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+ unsigned int best_vers = 0;
+ const SSL_METHOD *best_method = NULL;
+ PACKET versionslist;
++ /* TODO(TLS1.3): Remove this before release */
++ unsigned int orig_candidate = 0;
+
+ suppversions->parsed = 1;
+
+@@ -1774,6 +1776,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+ return SSL_R_BAD_LEGACY_VERSION;
+
+ while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
++ /* TODO(TLS1.3): Remove this before release */
++ if (candidate_vers == TLS1_3_VERSION
++ || candidate_vers == TLS1_3_VERSION_DRAFT
++ || candidate_vers == TLS1_3_VERSION_DRAFT_26
++ || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
++ if (best_vers == TLS1_3_VERSION
++ && (orig_candidate > candidate_vers
++ || orig_candidate == TLS1_3_VERSION))
++ continue;
++ orig_candidate = candidate_vers;
++ candidate_vers = TLS1_3_VERSION;
++ }
++ /*
++ * TODO(TLS1.3): There is some discussion on the TLS list about
++ * whether to ignore versions version = best_vers;
++ /* TODO(TLS1.3): Remove this before release */
++ if (best_vers == TLS1_3_VERSION)
++ s->version_draft = orig_candidate;
+ s->method = best_method;
+ return 0;
+ }
+diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
+index be3039af38..99c4ddcb41 100644
+--- a/ssl/t1_trce.c
++++ b/ssl/t1_trce.c
+@@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {
+ {TLS1_1_VERSION, "TLS 1.1"},
+ {TLS1_2_VERSION, "TLS 1.2"},
+ {TLS1_3_VERSION, "TLS 1.3"},
++ /* TODO(TLS1.3): Remove these lines before release */
++ {TLS1_3_VERSION_DRAFT_23, TLS1_3_VERSION_DRAFT_TXT_23},
++ {TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26},
++ {TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27},
++ {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT},
+ {DTLS1_VERSION, "DTLS 1.0"},
+ {DTLS1_2_VERSION, "DTLS 1.2"},
+ {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
+@@ -638,8 +643,19 @@ static int ssl_print_version(BIO *bio, int indent, const char *name,
+ if (*pmsglen < 2)
+ return 0;
+ vers = ((*pmsg)[0] << 8) | (*pmsg)[1];
+- if (version != NULL)
+- *version = vers;
++ if (version != NULL) {
++ /* TODO(TLS1.3): Remove the draft conditional here before release */
++ switch(vers) {
++ case TLS1_3_VERSION_DRAFT_23:
++ case TLS1_3_VERSION_DRAFT_26:
++ case TLS1_3_VERSION_DRAFT_27:
++ case TLS1_3_VERSION_DRAFT:
++ *version = TLS1_3_VERSION;
++ break;
++ default:
++ *version = vers;
++ }
++ }
+ BIO_indent(bio, indent, 80);
+ BIO_printf(bio, "%s=0x%x (%s)\n",
+ name, vers, ssl_trace_str(vers, ssl_version_tbl));