Go to file

Hakase f9e90d2843 Update nginx Strict-SNI Patch		2019-03-10 01:07:36 +09:00
LICENSE	Update LICENSE	2018-06-09 02:44:43 +09:00
README.md	Update Patch	2019-03-10 01:02:11 +09:00
nginx_hpack_push.patch	Some sources were missing.	2018-06-05 23:38:40 +09:00
nginx_hpack_push_1.15.3.patch	Push patch compatibility in nginx 1.15.3	2018-08-16 16:16:16 +09:00
nginx_hpack_push_fix.patch	Some sources were missing.	2018-06-05 23:38:40 +09:00
nginx_hpack_remove_server_header_1.15.3.patch	Add HPACK & Remove nginx server header.	2018-09-03 18:56:48 +09:00
nginx_openssl-1.1.x_renegotiation_bugfix.patch	nginx segfault bugfix - https://trac.nginx.org/nginx/ticket/1646	2018-10-03 19:25:37 +09:00
nginx_strict-sni.patch	Fix strict-sni bug.	2018-10-09 06:31:22 +09:00
nginx_strict-sni_1.15.10.patch	Update nginx Strict-SNI Patch	2019-03-10 01:07:36 +09:00
openssl-1.1.1a-chacha_draft.patch	Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files.	2018-12-03 19:39:13 +09:00
openssl-1.1.1a-tls13_draft.patch	Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files.	2018-12-03 19:39:13 +09:00
openssl-1.1.1a-tls13_nginx_config.patch	Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files.	2018-12-03 19:39:13 +09:00
openssl-1.1.1b-chacha_draft.patch	Latest update - CHACHA20-DRAFT	2019-02-19 15:30:26 +09:00
openssl-1.1.1c-chacha_draft.patch	Update Patch	2019-03-10 01:02:11 +09:00
openssl-3.0.0-dev-chacha_draft.patch	Update Patch	2019-03-10 01:02:11 +09:00
openssl-3.0.0-dev_version_error.patch	Add patch.	2018-12-06 23:46:53 +09:00
openssl-equal-1.1.1a.patch	Remove TLSv1.3 draft.	2019-02-09 20:31:04 +09:00
openssl-equal-1.1.1a_ciphers.patch	Remove TLSv1.3 draft.	2019-02-09 20:31:04 +09:00
openssl-equal-1.1.1b.patch	Latest update	2019-02-26 16:31:31 +09:00
openssl-equal-1.1.1b_ciphers.patch	Latest update	2019-02-26 16:31:31 +09:00
openssl-equal-3.0.0-dev.patch	Update Patch	2019-03-10 01:02:11 +09:00
openssl-equal-3.0.0-dev_ciphers.patch	Update Patch	2019-03-10 01:02:11 +09:00
remove_nginx_server_header.patch	Add remove server header, Update README.md	2018-06-24 23:31:13 +09:00

README.md

openssl-patch

OpenSSL Patch

This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

Original Sources

Information

Test Page - (TLS 1.3 final)
SSL Test Result - testssl.sh
SSL Test Result - dev.ssllabs.com
If you link site to a browser that supports final, you'll see a TLS 1.3 message.

Displays TLSv1.3 support for large sites.

Default support is in bold type.

Baidu(China) : TLSv1.2
Naver(Korea) : TLSv1.2
Twitter : TLSv1.2
My Site : TLSv1.3 final
Facebook : TLSv1.3 draft 23, 26, 28, final
Cloudflare : TLSv1.3 final
Google(Gmail) : TLSv1.3 final
NSS TLS 1.3(Mozilla) : TLSv1.3 final

Compatible OpenSSL-3.0.0-dev (OpenSSL, 23495 commits)

Patch files

The equal preference patch(openssl-equal-x) already includes the tls13_draft patch and the tls13_nginx_config(_ciphers file only) patch. Therefore, you do not need to patch it together.

You can find the OpenSSL 1.1.0h patch is here.

Here is the basic patch content.

BoringSSL's Equal Preference Patch
Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.

Patch file name	Patch list
openssl-equal-1.1.1a.patch openssl-equal-3.0.0-dev.patch	Support final (TLS 1.3), TLS 1.3 cipher settings *can not* be changed on nginx.
openssl-equal-1.1.1a_ciphers.patch openssl-equal-3.0.0-dev_ciphers.patch	Support final (TLS 1.3), TLS 1.3 cipher settings *can* be changed on nginx.
openssl-1.1.1a-chacha_draft.patch openssl-3.0.0-dev-chacha_draft.patch	A draft version of chacha20-poly1305 is available. View issue
openssl-1.1.1a-tls13_draft.patch	Only for TLS 1.3 draft 23, 26, 28, final support patch.
openssl-1.1.1a-tls13_nginx_config.patch	You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128
openssl-3.0.0-dev_version_error.patch	TEST This is a way to fix nginx when the following errors occur during the build: Error: missing binary operator before token "(" Maybe patched: https://github.com/openssl/openssl/pull/7839 Patched : https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127

The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.

Example of setting TLS 1.3 cipher in nginx:

Example	Ciphers
Short Cipher	TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20
Fullname Cipher	TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
TLS 1.3 + 1.2 ciphers	TLS13+AESGCM+AES128:EECDH+AES128

Not OpenSSL patch files

Patch file name	Patch list
nginx_hpack_push.patch	Patch both the HPACK patch and the PUSH ERROR.
nginx_hpack_push_fix.patch	Patch only the PUSH ERROR of the hpack patch. (If the HPACK patch has already been completed)
remove_nginx_server_header.patch	Remove nginx server header. (http2, http1.1)
nginx_hpack_remove_server_header_1.15.3.patch	HPACK + Remove nginx server header. (http2, http1.1)
nginx_strict-sni.patch	Enable Strict-SNI. Thanks @JemmyLoveJenny. View issue
nginx_openssl-1.1.x_renegotiation_bugfix.patch	Bugfix Secure Client-Initiated Renegotiation. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4 Patched nginx 1.15.5

How To Use?

OpenSSL Patch

git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch

And then use --with-openssl in nginx or build after ./config.

OpenSSL CHACHA20-POLY1305-OLD Patch

Thanks @JemmyLoveJenny!

View issue / Original Source

git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch

nginx HPACK Patch

Run it from the nginx directory.

If you have a PUSH patch, use it as follows.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_fix.patch | patch -p1

If you did not patch PUSH, use it as follows.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1

And then check the nginx configuration below.

nginx Remove Server Header Patch

Run it from the nginx directory.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1

nginx strict-sni patch

Run it from the nginx directory.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1

This is a condition for using strict sni. View issue.

How to use nginx strict-sni?
- ONLY USE IN http { }
- strict_sni : nginx strict-sni ON/OFF toggle option.
- strict_sni_header : if you do not want to respond to invalid headers. (only with strict_sni)
- Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).
- It does not matter what kind of certificate or duplicate.

Thanks @JemmyLoveJenny, @NewBugger!

nginx OpenSSL-1.1.x Renegotiation Bugfix

It has already been patched by nginx >= 1.15.4.

Run it from the nginx directory.

curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1

nginx Configuration

HPACK Patch

Add configure arguments : --with-http_v2_hpack_enc

SSL Setting

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;

OpenSSL-1.1.1a, 3.0.0-dev ciphers

[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES

OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers

[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES