
3.7 KiB


OpenSSL Equal Preference Patch

This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

Support TLS 1.3 draft 28 browsers - Chrome Canary, Firefox Nightly

Latest patch : openssl-equal-pre8.patch, openssl-equal-pre8_ciphers.patch

View Tree (OpenSSL)

Original source by BoringSSL & buik

OpenSSL 1.1.0h patch is here

Patch files

Here is the basic patch content.

  • Support TLS 1.3 draft 23 + 28 (Not support pre2)
    • Server: draft 23 + 28
    • Client: draft 23 + 26 + 27 + 28
  • BoringSSL's Equal Preference Patch
  • Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
Patch file name Patch list
openssl-equal-pre2.patch Not support draft 28.
TLS 1.3 cipher settings can not be changed on nginx.
TLS 1.3 cipher settings can be changed on nginx.
nginx_hpack_push.patch Patch both the HPACK patch and the PUSH ERROR.
nginx_hpack_push_fix.patch Patch only the PUSH ERROR of the hpack patch. (If the HPACK patch has already been completed)

The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.

Example of setting TLS 1.3 cipher in nginx (pre7 or higher):

  • ex 2. TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • ex 3. TLS13+AESGCM+AES128:EECDH+AES128 (TLS 1.3 + TLS 1.2 ciphers)

nginx Configuration (ssl_ciphers)

Default settings

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;

OpenSSL-1.1.1-pre2 ciphers (draft 23)


OpenSSL-1.1.1-pre7, pre8 ciphers (draft 23, 28)


OpenSSL-1.1.1-pre7_ciphers, pre8_ciphers ciphers (draft 23, 28)