Awesome
openssl-patch
OpenSSL Patch
This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.
Original Sources
- OpenSSL Equal Preference Patch by BoringSSL & buik
- HPACK Patch by Cloudflare
- nginx Strict-SNI Patch by @JemmyLoveJenny
- OpenSSL OLD-CHACHA20-POLY1305 by @JemmyLoveJenny
- OpenSSL 1.1.1c PrioritizeChacha Patch by @felixbuenemann
- nginx io_uring support Patch by @CarterLi
Information
- Test Page - (TLS 1.3 final)
- SSL Test Result - testssl.sh
- SSL Test Result - dev.ssllabs.com
- If you link site to a browser that supports final, you'll see a TLS 1.3 message.
Displays TLSv1.3 support for large sites.
Default support is in bold type.
- Baidu(China) : TLSv1.2
- Naver(Korea) : TLSv1.2
- Twitter : TLSv1.2
- My Site : TLSv1.3 final
- Facebook : TLSv1.3 draft 23, 26, 28, final
- Cloudflare : TLSv1.3 final
- Google(Gmail) : TLSv1.3 final
- NSS TLS 1.3(Mozilla) : TLSv1.3 final
Compatible OpenSSL-3.0.0-dev (OpenSSL, 25375 commits)
Compatible OpenSSL-3.0.0-dev-revert (OpenSSL, 25746 commits)
Patch files
The equal preference patch(openssl-equal-x) already includes the tls13_draft patch and the tls13_nginx_config(_ciphers file only) patch. Therefore, you do not need to patch it together.
You can find the OpenSSL 1.1.0h patch is here.
Here is the basic patch content.
- BoringSSL's Equal Preference Patch
- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
| Patch file name | Patch list |
|---|---|
| openssl-equal-1.1.1(x).patch<br>openssl-equal-3.0.0-dev.patch | Support final (TLS 1.3), TLS 1.3 cipher settings can not be changed on nginx. |
| openssl-equal-1.1.1(x)_ciphers.patch<br>openssl-equal-3.0.0-dev_ciphers.patch | Support final (TLS 1.3), TLS 1.3 cipher settings can be changed on nginx. |
| openssl-1.1.1(x)-chacha_draft.patch<br>openssl-3.0.0-dev-chacha_draft.patch | A draft version of chacha20-poly1305 is available. View issue |
| openssl-1.1.1a-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
| openssl-1.1.1a-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |
| openssl-1.1.1c-prioritize_chacha_draft.patch | Priority applied patch for CHACHA20 and CHACHA20-DRAFT. View Pull Request |
| openssl-3.0.0-session_tls13.patch | For TLS 1.2 and below, the existing session timeout value is written. For TLS 1.3, 172800 (2 days) is fixed. |
| openssl-3.0.0-dev_version_error.patch | TEST This is a way to fix nginx when the following errors occur during the build:<br>Error: missing binary operator before token "("<br>Maybe patched: https://github.com/openssl/openssl/pull/7839<br>Patched : https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127 |
| openssl-3.0.0-dev_revert.patch | TEST This file will revert the patch to use the old OpenSSL API. (This is an unsafe temporary measure.) |
| openssl-3.0.0-dev-chacha_draft_revert.patch<br>openssl-equal-3.0.0-dev_ciphers_revert.patch<br>openssl-equal-3.0.0-dev_revert.patch | TEST These patches should be used after patching the openssl-3.0.0-dev_revert.patch file first. |
The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.
Example of setting TLS 1.3 cipher in nginx:
| Example | Ciphers |
|---|---|
| Short Cipher | TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20 |
| Fullname Cipher | TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 |
| TLS 1.3 + 1.2 ciphers | TLS13+AESGCM+AES128:EECDH+AES128 |
Not OpenSSL patch files
| Patch file name | Patch list |
|---|---|
| nginx_hpack_push.patch | Patch both the HPACK patch and the PUSH ERROR. |
| nginx_hpack_push_fix.patch | Patch only the PUSH ERROR of the hpack patch. (If the HPACK patch has already been completed) |
| remove_nginx_server_header.patch | Remove nginx server header. (http2, http1.1) |
| nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) |
| nginx_strict-sni.patch | Enable Strict-SNI. Thanks @JemmyLoveJenny. View issue |
| nginx_openssl-1.1.x_renegotiation_bugfix.patch | Bugfix Secure Client-Initiated Renegotiation. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4<br>Patched nginx 1.15.5 |
| nginx_ocsp.sh | Some of the parts that can not get OCSP Stapling value at nginx start or reload are solved.<br>OCSP stapling in nginx is made up of a callback, so you only need to connect at least once to get the value.<br>This file is a temporary file and may not work normally. |
| nginx_io_uring.patch | Add io_uring support patch. Thanks @CarterLi. View how to install |
How To Use?
OpenSSL Patch
git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch
And then use --with-openssl in nginx or build after ./config.
OpenSSL CHACHA20-POLY1305-OLD Patch
Thanks @JemmyLoveJenny!
git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch
nginx HPACK Patch
Run it from the nginx directory.
If you have a PUSH patch, use it as follows.
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_fix.patch | patch -p1
If you did not patch PUSH, use it as follows.
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1
And then check the nginx configuration below.
nginx Remove Server Header Patch
Run it from the nginx directory.
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1
nginx strict-sni patch
Run it from the nginx directory.
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1
This is a condition for using strict sni. View issue.
- How to use nginx strict-sni?
- ONLY USE IN http { }
- strict_sni : nginx strict-sni ON/OFF toggle option.
- strict_sni_header : if you do not want to respond to invalid headers. (only with strict_sni)
- Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).
- It does not matter what kind of certificate or duplicate.
- (>1.15.10) If no SNI is required, print the certificate without applying strict-SNI.
Thanks @JemmyLoveJenny, @NewBugger!
nginx OpenSSL-1.1.x Renegotiation Bugfix
It has already been patched by nginx >= 1.15.4.
Run it from the nginx directory.
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1
io_uring Patch
nginx Configuration
HPACK Patch
Add configure arguments : --with-http_v2_hpack_enc
SSL Setting
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;
OpenSSL-1.1.1a, 3.0.0-dev ciphers
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
Other.
nginx ocsp shell
The configuration file recognizes the *.conf file in /etc/nginx.
Precedence settings in nginx.conf are as follows:
worker_processes 1 - If this number is high, the remaining worker processes do not have OCSP Stapling values.
After reload or restart, execute the corresponding shell. That's it!
I tried to edit nginx, but I have not found a good way yet. :(