Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/hakasenyang/openssl-patch

OpenSSL & NginX Patch
https://github.com/hakasenyang/openssl-patch
Last synced: about 2 months ago
JSON representation
OpenSSL & NginX Patch
Host: GitHub
URL: https://github.com/hakasenyang/openssl-patch
Owner: hakasenyang
License: other
Created: 2018-05-14T02:59:41.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2021-12-28T22:14:10.000Z (over 2 years ago)
Last Synced: 2024-04-27T20:38:01.829Z (5 months ago)
Language: Shell
Homepage: https://hks.pw/ossl
Size: 286 KB
Stars: 193
Watchers: 25
Forks: 26
Open Issues: 7
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

README

        # openssl-patch

## OpenSSL Patch

### This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

## Original Sources

- [OpenSSL Equal Preference Patch](https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E%21) by [BoringSSL](https://github.com/google/boringssl) & [buik](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1)

- [HPACK Patch](https://github.com/cloudflare/sslconfig/blob/master/patches/nginx_1.13.1_http2_hpack.patch) by [Cloudflare](https://github.com/cloudflare/sslconfig)

- [nginx Strict-SNI Patch](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) by [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)

- [OpenSSL OLD-CHACHA20-POLY1305](https://github.com/JemmyLoveJenny/ngx_ossl_patches) by [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)

- [OpenSSL 1.1.1c PrioritizeChacha Patch](https://github.com/hakasenyang/openssl-patch/pull/17) by [@felixbuenemann](https://github.com/felixbuenemann)

- [nginx io_uring support Patch](https://github.com/hakasenyang/openssl-patch/pull/22) by [@CarterLi](https://github.com/CarterLi)

## Information

- [Test Page - (TLS 1.3 final)](https://ssl.haka.se/)

- [SSL Test Result - testssl.sh](https://ssl.haka.se/ssltest/haka.se.html)

- [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=haka.se)

- **If you link site to a browser that supports final, you'll see a TLS 1.3 message.**

Displays TLSv1.3 support for large sites.

Default support is in bold type.

- [Baidu(China)](https://baidu.cn/) : **TLSv1.2**

- [Naver(Korea)](https://naver.com/) : **TLSv1.2**

- [Twitter](https://twitter.com/) : **TLSv1.2**

- [**My Site**](https://haka.se/) : _TLSv1.3_ **final**

- [Facebook](https://facebook.com/) : _TLSv1.3_ draft 23, 26, 28, **final**

- [Cloudflare](https://cloudflare.com/) : _TLSv1.3_ **final**

- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ **final**

- [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**

[Compatible OpenSSL-3.0.0-dev (OpenSSL, 25375 commits)](https://github.com/openssl/openssl/tree/7fa8bcfe4342df41919f5564b315f9c85d0a02d6)

[Compatible OpenSSL-3.0.0-dev-**revert** (OpenSSL, 25746 commits)](https://github.com/openssl/openssl/tree/3cb55fe47c3398b81956e4fe20c4004524d47519)

## Patch files

### The equal preference patch(openssl-equal-x) already includes the tls13_draft patch and the tls13_nginx_config(_ciphers file only) patch. Therefore, you do not need to patch it together.

You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)

Here is the basic patch content.

- BoringSSL's Equal Preference Patch

- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.

| Patch file name | Patch list |

| :--- | :--- |

| openssl-equal-1.1.1(x).patch
openssl-equal-3.0.0-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |

| openssl-equal-1.1.1(x)_ciphers.patch
openssl-equal-3.0.0-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |

| openssl-1.1.1(x)-chacha_draft.patch
openssl-3.0.0-dev-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |

| openssl-1.1.1a-tls13_draft.patch | Only for **TLS 1.3 draft 23, 26, 28, final support patch**. |

| openssl-1.1.1a-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |

| openssl-1.1.1c-prioritize_chacha_draft.patch | Priority applied patch for CHACHA20 and CHACHA20-DRAFT. [View Pull Request](https://github.com/hakasenyang/openssl-patch/pull/17) |

| openssl-3.0.0-session_tls13.patch | For TLS 1.2 and below, the existing session timeout value is written. For TLS 1.3, 172800 (2 days) is fixed. |

| openssl-3.0.0-dev_version_error.patch | **TEST** This is a way to fix nginx when the following errors occur during the build:
Error: missing binary operator before token "("
Maybe patched: [https://github.com/openssl/openssl/pull/7839](https://github.com/openssl/openssl/pull/7839)
Patched : [https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127](https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127) |

| openssl-3.0.0-dev_revert.patch | **TEST** This file will revert the patch to use the old OpenSSL API. (This is an unsafe temporary measure.) |

| openssl-3.0.0-dev-chacha_draft_revert.patch
openssl-equal-3.0.0-dev_ciphers_revert.patch
openssl-equal-3.0.0-dev_revert.patch | **TEST** These patches should be used after patching the **openssl-3.0.0-dev_revert.patch** file **first.** |

**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**

Example of setting TLS 1.3 cipher in nginx:

| Example | Ciphers |

| :--- | :--- |

| Short Cipher |  TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20 |

| Fullname Cipher | TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 |

| TLS 1.3 + 1.2 ciphers | TLS13+AESGCM+AES128:EECDH+AES128 |

## Not OpenSSL patch files

| Patch file name | Patch list |

| :--- | :--- |

| nginx_hpack_push.patch | _Patch both_ the HPACK patch and the **PUSH ERROR**. |

| nginx_hpack_push_fix.patch | _Patch only_ the **PUSH ERROR** of the hpack patch. (If the HPACK patch has already been completed) |

| remove_nginx_server_header.patch | Remove nginx server header. (http2, http1.1) |

| nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) |

| nginx_strict-sni.patch | Enable **Strict-SNI**. Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny). [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) |

| nginx_openssl-1.1.x_renegotiation_bugfix.patch | Bugfix **Secure Client-Initiated Renegotiation**. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4
[Patched nginx 1.15.5](https://github.com/nginx/nginx/commit/53803b4780be15d8014be183d4161091fd5f3376) |

| nginx_ocsp.sh | Some of the parts that can not get OCSP Stapling value at nginx start or reload are solved.
OCSP stapling in nginx is made up of a callback, so you only need to connect at least once to get the value.
This file is a temporary file and may not work normally. |

| nginx_io_uring.patch | Add **io_uring** support patch. Thanks [@CarterLi](https://github.com/CarterLi). [View how to install](https://github.com/hakasenyang/openssl-patch/pull/22) |

## How To Use?

### OpenSSL Patch

```

git clone https://github.com/openssl/openssl.git

git clone https://github.com/hakasenyang/openssl-patch.git

cd openssl

patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch

```

And then use --with-openssl in nginx or build after ./config.

### OpenSSL CHACHA20-POLY1305-OLD Patch

Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)!

[View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) / [Original Source](https://github.com/JemmyLoveJenny/ngx_ossl_patches/blob/master/ossl_enable_chacha20-poly1305-draft.patch)

```

git clone https://github.com/openssl/openssl.git

git clone https://github.com/hakasenyang/openssl-patch.git

cd openssl

patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch

```

### nginx HPACK Patch

Run it from the nginx directory.

If you **have a** PUSH patch, use it as follows.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_fix.patch | patch -p1 ``

If you **did not** patch PUSH, use it as follows.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1``

And then check the nginx configuration below.

### nginx Remove Server Header Patch

Run it from the nginx directory.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1``

### nginx strict-sni patch

Run it from the nginx directory.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1``

This is a condition for using strict sni. [View issue.](https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427664716)

- How to use nginx strict-sni?

    - **ONLY USE IN http { }**

    - strict_sni : nginx strict-sni ON/OFF toggle option.

    - strict_sni_header : if you do not want to respond to invalid headers. (**only with strict_sni**)

    - Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).

    - It does not matter what kind of certificate or duplicate.

    - (>1.15.10) If no SNI is required, print the certificate without applying strict-SNI.

Thanks [@JemmyLoveJenny](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319), [@NewBugger](https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427831677)!

### nginx OpenSSL-1.1.x Renegotiation Bugfix

It has already been patched by nginx >= 1.15.4.

Run it from the nginx directory.

``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1``

### io_uring Patch

[View this link.](https://github.com/hakasenyang/openssl-patch/pull/22)

## nginx Configuration

### HPACK Patch

Add configure arguments : ``--with-http_v2_hpack_enc``

### SSL Setting

```

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

ssl_ciphers [Copy it from below and paste it here.];

ssl_ecdh_curve X25519:P-256:P-384;

ssl_prefer_server_ciphers on;

```

### OpenSSL-1.1.1a, 3.0.0-dev ciphers

```

[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES

```

### OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers

```

[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES

```

## Other.

### nginx ocsp shell

The configuration file recognizes the ***.conf** file in **/etc/nginx**.

Precedence settings in **nginx.conf** are as follows:

worker_processes 1 - **If this number is high, the remaining worker processes do not have OCSP Stapling values.**

After reload or restart, execute the corresponding shell. That's it!

I tried to edit nginx, but I have not found a good way yet. :(