hakasenyang / openssl-patch Goto Github PK
View Code? Open in Web Editor NEWOpenSSL & NginX Patch
Home Page: https://hks.pw/ossl
License: Other
OpenSSL & NginX Patch
Home Page: https://hks.pw/ossl
License: Other
nginx_hpack_push.patch and remove_nginx_server_header.patch don't work together
patch -p1 < ../openssl-patch/remove_nginx_server_header.patch
patching file src/http/ngx_http_header_filter_module.c
patching file src/http/ngx_http_special_response.c
patching file src/http/v2/ngx_http_v2_filter_module.c
# patch -p1 < ../openssl-patch/nginx_hpack_push.patch
patching file auto/modules
patching file auto/options
Hunk #2 succeeded at 226 (offset 2 lines).
Hunk #3 succeeded at 442 (offset 6 lines).
patching file src/core/ngx_murmurhash.c
patching file src/core/ngx_murmurhash.h
patching file src/http/v2/ngx_http_v2.c
Hunk #1 succeeded at 270 with fuzz 2 (offset -2 lines).
Hunk #2 succeeded at 2080 with fuzz 1 (offset 3 lines).
patching file src/http/v2/ngx_http_v2.h
patching file src/http/v2/ngx_http_v2_encode.c
patching file src/http/v2/ngx_http_v2_filter_module.c
Hunk #2 FAILED at 198.
Hunk #3 succeeded at 457 (offset -21 lines).
Hunk #4 succeeded at 465 (offset -21 lines).
Hunk #5 FAILED at 506.
Hunk #6 succeeded at 547 (offset -45 lines).
Hunk #7 succeeded at 599 (offset -45 lines).
Hunk #8 succeeded at 960 (offset -45 lines).
Hunk #9 succeeded at 970 (offset -45 lines).
Hunk #10 succeeded at 990 with fuzz 2 (offset -45 lines).
Hunk #11 succeeded at 1015 (offset -43 lines).
2 out of 11 hunks FAILED -- saving rejects to file src/http/v2/ngx_http_v2_filter_module.c.rej
patching file src/http/v2/ngx_http_v2_table.c
or else
# patch -p1 < ../openssl-patch/nginx_hpack_push.patch
patching file auto/modules
patching file auto/options
Hunk #2 succeeded at 226 (offset 2 lines).
Hunk #3 succeeded at 442 (offset 6 lines).
patching file src/core/ngx_murmurhash.c
patching file src/core/ngx_murmurhash.h
patching file src/http/v2/ngx_http_v2.c
Hunk #1 succeeded at 270 with fuzz 2 (offset -2 lines).
Hunk #2 succeeded at 2080 with fuzz 1 (offset 3 lines).
patching file src/http/v2/ngx_http_v2.h
patching file src/http/v2/ngx_http_v2_encode.c
patching file src/http/v2/ngx_http_v2_filter_module.c
Hunk #10 succeeded at 994 with fuzz 2.
Hunk #11 succeeded at 1019 (offset 2 lines).
patching file src/http/v2/ngx_http_v2_table.c
# patch -p1 < ../openssl-patch/remove_nginx_server_header.patch
patching file src/http/ngx_http_header_filter_module.c
patching file src/http/ngx_http_special_response.c
patching file src/http/v2/ngx_http_v2_filter_module.c
Hunk #1 FAILED at 148.
Hunk #2 succeeded at 300 (offset 41 lines).
Hunk #3 FAILED at 467.
2 out of 3 hunks FAILED -- saving rejects to file src/http/v2/ngx_http_v2_filter_module.c.rej
Is it available to patch nginx 1.14.1 ?
Now it has too many mistakes
The openssl-equal-1.1.1.patch is great but it is a complex combination of various functions.
How can I just enable previous TLS 1.3 draft feature?
这个东西可以禁止nginx使用sni嘛?一台服务器只用一个证书
When using default openssl 1.1.1 without any patch and enable tls1.3 feature, the ssllabs test will show suites in server-preferred order in the cipher part.
However, if your equal patch or openssl prefer patch enabled, the tls 1.3 part will show server has no preference.
The latest commit in Gitlab is 11 months ago.
Hi,
Using the following code, I can't patch OpenSSL as I used to do before:
latest_nginx=$(curl -L http://nginx.org/en/download.html | egrep -o "nginx\-[0-9.]+\.tar[.a-z]*" | head -n 1)
git clone https://github.com/openssl/openssl.git --branch OpenSSL_1_1_1-stable
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1d-chacha_draft.patch
I got the following error:
Hunk #1 succeeded at 919 (offset 4 lines).
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
Hunk #4 succeeded at 1795 (offset 1 line).
Hunk #5 succeeded at 2122 (offset 1 line).
can't find file to patch at input line 486
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|index fa0f6d018c..f2a95c263a 100644
|--- a/ssl/ssl_locl.h
|+++ b/ssl/ssl_locl.h
-------------------------
Any idea ?
Thanks
here, i saw a patch like this :
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
i made a commit and it worked now.
the matter is, what's the situation to apply it and what's the concrete purpose ? whatever either OpenSSL or BoringSSL supports TLSv1.3 for Nginx now.
nginx_strict-sni_1.15.10 patch not applying cleanily on version 1.18 and 1.19
That's very strange that this issue happens completely randomly. It seems that the content is not fully loaded.
I found that it happens more often on requests that have no Content-Length
. I have tried removing all custom patches (including io_uring patch of course), but the issue won't disappear.
Have you guys ever encountered this issue?
$ /usr/src/openssl-1.1.1d # patch -p1 < openssl-equal-1.1.1d_ciphers.patch
patching file doc/man1/ciphers.pod
patching file include/openssl/ssl.h
patching file include/openssl/sslerr.h
Hunk #1 succeeded at 600 (offset 4 lines).
Hunk #2 succeeded at 733 (offset 4 lines).
patching file ssl/s3_lib.c
Hunk #9 succeeded at 4130 (offset 1 line).
Hunk #10 succeeded at 4150 (offset 1 line).
Hunk #11 succeeded at 4194 (offset 1 line).
Hunk #12 succeeded at 4231 (offset 1 line).
Hunk #13 succeeded at 4262 (offset 1 line).
Hunk #14 succeeded at 4282 (offset 1 line).
Hunk #15 succeeded at 4297 (offset 1 line).
Hunk #16 succeeded at 4309 (offset 1 line).
patching file ssl/ssl_ciph.c
Hunk #14 FAILED at 1437.
Hunk #15 FAILED at 1450.
Hunk #16 succeeded at 1460 (offset 1 line).
Hunk #17 succeeded at 1522 (offset 1 line).
Hunk #18 succeeded at 1540 (offset 1 line).
Hunk #19 succeeded at 1554 (offset 1 line).
Hunk #20 succeeded at 1579 (offset 1 line).
Hunk #21 succeeded at 1595 (offset 1 line).
Hunk #22 succeeded at 1617 (offset 1 line).
Hunk #23 succeeded at 1643 (offset 1 line).
Hunk #24 succeeded at 1680 (offset 1 line).
2 out of 24 hunks FAILED -- saving rejects to file ssl/ssl_ciph.c.rej
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
Hunk #1 succeeded at 1122 (offset 5 lines).
Hunk #2 succeeded at 1227 (offset 5 lines).
Hunk #3 succeeded at 2502 (offset 6 lines).
Hunk #4 succeeded at 2578 (offset 6 lines).
Hunk #5 succeeded at 3029 (offset 6 lines).
Hunk #6 succeeded at 3205 (offset 6 lines).
Hunk #7 succeeded at 3883 (offset 6 lines).
patching file ssl/ssl_locl.h
patching file ssl/statem/statem_srvr.c
Hunk #4 succeeded at 2252 (offset -2 lines).
The openssl-equal-1.1.1d_ciphers patch fails with OpenSSL version 1.1.1d.
kernel 5.10.0-8-amd64.
2021/07/23 23:14:25 [emerg] 102828#102828: io_uring_queue_init_params() failed (12: Out of memory)
2021/07/23 23:14:25 [emerg] 102832#102832: io_uring_queue_init_params() failed (12: Out of memory)
2021/07/23 23:14:25 [emerg] 102835#102835: io_uring_queue_init_params() failed (12: Out of memory)
2021/07/23 23:14:25 [emerg] 102836#102836: io_uring_queue_init_params() failed (12: Out of memory)
After patch:openssl-1.1.2-dev-chacha_draft.patch
, openssl compile failed.
gcc -I. -Iinclude -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -march=native -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/etc/pki/tls\"" -DENGINESDIR="\"/data/src/openssl/.openssl/lib/engines-1.1\"" -DZLIB -DNDEBUG -MMD -MF ssl/libssl-shlib-ssl_asn1.d.tmp -MT ssl/libssl-shlib-ssl_asn1.o -c -o ssl/libssl-shlib-ssl_asn1.o ssl/ssl_asn1.c
Disordered ordinals, 4534 < 4553 at ./util/mkdef.pl line 153.
make[1]: *** [Makefile:6100: libcrypto.ld] Error 25
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/data/src/openssl'
make: *** [Makefile:171: all] Error 2
openssl dev
# curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-3.0.0-dev-chacha_draft.patch | patch -p1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 21497 100 21497 0 0 135k 0 --:--:-- --:--:-- --:--:-- 135k
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
patching file crypto/objects/obj_dat.h
patching file crypto/objects/obj_mac.num
patching file crypto/objects/objects.txt
patching file include/openssl/evp.h
Hunk #1 succeeded at 959 (offset 2 lines).
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
patching file ssl/ssl_locl.h
patching file util/libcrypto.num
Hunk #1 FAILED at 4752.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej
I really enjoy the information stated at https://ssl.hakase.io and would also like to host such kind of application on my server, too.
Thanks!
Hi,
I am using these 2 patches with OpenSSL 1.1.1c, it seems these two patches have conflicts on ssl/s3_lib.c file
==> Downloading https://github.com/hakasenyang/openssl-patch/raw/master/openssl-1.1.1e-dev-chacha_draft.patch
==> Downloading from https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-1.1.1e-dev-chacha_draft.
######################################################################## 100.0%
Warning: Cannot verify integrity of 14e39691ac62d013e7709a381d08f64e7b13645a82e8599464de9c7c6997c6e3--openssl-1.1.1e-dev-chacha_draft.patch
A checksum was not provided for this resource.
For your reference the SHA-256 is: 4f2f2a9abcee9476f6aae7e5160b82efbf7720f0a2b0cdb45d1b9ea7c059289c
==> Patching
==> Applying openssl-1.1.1c-prioritize_chacha_draft.patch
patching file ssl/s3_lib.c
==> Applying openssl-1.1.1e-dev-chacha_draft.patch
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
Hunk #7 succeeded at 580 (offset 4 lines).
Hunk #8 succeeded at 672 (offset 5 lines).
patching file crypto/objects/obj_dat.h
patching file crypto/objects/obj_mac.num
patching file crypto/objects/objects.txt
patching file include/openssl/evp.h
Hunk #1 succeeded at 919 (offset 4 lines).
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
Hunk #4 succeeded at 1795 (offset 1 line).
Hunk #5 succeeded at 2122 (offset 1 line).
patching file ssl/ssl_local.h
patching file util/libcrypto.num
Hunk #1 FAILED at 4582.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej
Error: Failure while executing; `patch -g 0 -f -p1 -i /private/tmp/[email protected]/openssl-1.1.1e-dev-chacha_draft.patch` exited with 1.
$ curl -L https://github.com/hakasenyang/openssl-patch/raw/master/openssl-1.1.1c-chacha_draft.patch | patch -p1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 166 100 166 0 0 26 0 0:00:06 0:00:06 --:--:-- 40
100 21643 100 21643 0 0 2868 0 0:00:07 0:00:07 --:--:-- 101k
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
patching file crypto/objects/obj_dat.h
patching file crypto/objects/obj_mac.num
patching file crypto/objects/objects.txt
patching file include/openssl/evp.h
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
Hunk #1 succeeded at 2088 (offset 6 lines).
patching file ssl/ssl_ciph.c
Hunk #3 succeeded at 278 (offset 1 line).
Hunk #4 succeeded at 1873 (offset 79 lines).
Hunk #5 succeeded at 2200 (offset 79 lines).
patching file ssl/ssl_locl.h
patching file util/libcrypto.num
Hunk #1 FAILED at 4579.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej
It's about 5 months that the patch hasn't been updated. Will u consider to adapt the latest openssl3 release?
git clone https://github.com/openssl/openssl
Cloning into 'openssl'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 346217 (delta 0), reused 0 (delta 0), pack-reused 346213
Receiving objects: 100% (346217/346217), 174.81 MiB | 35.68 MiB/s, done.
cd /root/openssl: 0% (0/238343)
Resolving deltas: 100% (238343/238343), done.
Checking out files: 100% (18637/18637), done.
cd /root/openssl
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-3.0.0-dev-chacha_draft.patch | patch -p1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 21497 100 21497 0 0 304k 0 --:--:-- --:--:-- --:--:-- 304k
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
patching file crypto/objects/obj_dat.h
Hunk #1 FAILED at 1084.
Hunk #2 FAILED at 2294.
Hunk #3 succeeded at 2425 (offset 6 lines).
Hunk #4 FAILED at 3500.
Hunk #5 succeeded at 3897 (offset 12 lines).
3 out of 5 hunks FAILED -- saving rejects to file crypto/objects/obj_dat.h.rej
patching file crypto/objects/obj_mac.num
Hunk #1 FAILED at 1205.
1 out of 1 hunk FAILED -- saving rejects to file crypto/objects/obj_mac.num.rej
patching file crypto/objects/objects.txt
Hunk #1 succeeded at 1548 (offset 3 lines).
patching file include/openssl/evp.h
Hunk #1 succeeded at 976 (offset 17 lines).
patching file include/openssl/obj_mac.h
Hunk #1 succeeded at 4852 (offset 15 lines).
patching file include/openssl/ssl.h
Hunk #1 succeeded at 131 (offset 6 lines).
patching file include/openssl/tls1.h
Hunk #1 succeeded at 573 (offset 6 lines).
Hunk #2 succeeded at 743 (offset 6 lines).
Hunk #3 succeeded at 1074 (offset 6 lines).
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
can't find file to patch at input line 486
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|index b66979b4da..195267cb5e 100644
|--- a/ssl/ssl_locl.h
|+++ b/ssl/ssl_locl.h
--------------------------
File to patch:
Skip this patch? [y] y
Skipping patch.
1 out of 1 hunk ignored
patching file util/libcrypto.num
Hunk #1 FAILED at 4764.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej
openssl-1.1.1c
patch -p1 < ../../patch/openssl-equal-1.1.1d.patch
patch -p1 < ../../patch/openssl-equal-1.1.1d_ciphers.patch
patch -p1 < ../../patch/openssl-1.1.1c-chacha_draft.patch
only need 1.1.1d_ciphers.patch.
This patch tries to use the new AIO kernel feature io_uring
. It simply replace the old Linux AIO
code with liburing
( almost function to function change ). Have no time to test it yet.
Any feedback is welcome.
Instead of using eventfd to bridge AIO code with epoll module, the patch polls ring_fd directly, which reduces a lot of code ( and may get better performance )
Should apply to the clean nginx-1.17.0
Patch removed
Public domain
OpenSSL has its own implementation to prioritize Chacha20 when client does.
It is easy to enable this feature by default and it does the same work of BoringSSL's Equal Preference
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7713f76..e8ad162 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4159,7 +4159,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
/* If ChaCha20 is at the top of the client preference list,
and there are ChaCha20 ciphers in the server list, then
temporarily prioritize all ChaCha20 ciphers in the servers list. */
- if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
+ if (sk_SSL_CIPHER_num(clnt) > 0) {
c = sk_SSL_CIPHER_value(clnt, 0);
if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
/* ChaCha20 is client preferred, check server... */
I was applying the patches in the latest https://github.com/openssl/openssl/tree/OpenSSL_1_1_1-stable branch
$ patch -p1 < openssl-1.1.1a-tls13_draft.patch < openssl-equal-1.1.1a_ciphers.patch
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/record/ssl3_record_tls13.c
patching file ssl/ssl_locl.h
patching file ssl/statem/extensions_clnt.c
patching file ssl/statem/extensions_srvr.c
patching file ssl/statem/statem_lib.c
Hunk #1 succeeded at 1788 (offset 2 lines).
Hunk #2 succeeded at 1811 (offset 2 lines).
Hunk #3 succeeded at 1850 (offset 2 lines).
patching file ssl/t1_trce.c
patching file doc/man1/ciphers.pod
patching file include/openssl/sslerr.h
patching file include/openssl/tls1.h
Reversed (or previously applied) patch detected! Assume -R? [n] ^C
$ curl -L https://github.com/hakasenyang/openssl-patch/raw/master/openssl-equal-1.1.1a_ciphers.patch | patch -p1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167 100 167 0 0 105 0 0:00:01 0:00:01 --:--:-- 105
100 45427 100 45427 0 0 4997 0 0:00:09 0:00:09 --:--:-- 11356
patching file doc/man1/ciphers.pod
patching file include/openssl/sslerr.h
Hunk #1 FAILED at 596.
Hunk #2 succeeded at 727 (offset 1 line).
1 out of 2 hunks FAILED -- saving rejects to file include/openssl/sslerr.h.rej
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
Hunk #1 succeeded at 192 (offset 2 lines).
Hunk #2 succeeded at 297 (offset 2 lines).
Hunk #3 succeeded at 683 (offset 2 lines).
Hunk #4 succeeded at 777 (offset 2 lines).
Hunk #5 succeeded at 786 (offset 2 lines).
Hunk #6 succeeded at 865 (offset 2 lines).
Hunk #7 succeeded at 873 (offset 2 lines).
Hunk #8 succeeded at 885 (offset 2 lines).
Hunk #9 succeeded at 953 (offset 2 lines).
Hunk #10 succeeded at 968 (offset 2 lines).
Hunk #11 succeeded at 979 (offset 2 lines).
Hunk #12 succeeded at 1063 (offset 2 lines).
Hunk #13 succeeded at 1080 (offset 2 lines).
Hunk #14 succeeded at 1259 (offset 2 lines).
Hunk #15 succeeded at 1269 (offset 2 lines).
Hunk #16 succeeded at 1438 (offset 2 lines).
Hunk #17 succeeded at 1451 (offset 2 lines).
Hunk #18 succeeded at 1460 (offset 2 lines).
Hunk #19 succeeded at 1522 (offset 2 lines).
Hunk #20 succeeded at 1540 (offset 2 lines).
Hunk #21 succeeded at 1554 (offset 2 lines).
Hunk #22 succeeded at 1579 (offset 2 lines).
Hunk #23 succeeded at 1595 (offset 2 lines).
Hunk #24 succeeded at 1620 (offset 2 lines).
Hunk #25 succeeded at 1646 (offset 2 lines).
Hunk #26 succeeded at 1666 (offset 2 lines).
patching file ssl/ssl_err.c
Hunk #1 FAILED at 965.
Hunk #2 succeeded at 1201 (offset 2 lines).
1 out of 2 hunks FAILED -- saving rejects to file ssl/ssl_err.c.rej
patching file ssl/ssl_lib.c
Hunk #5 succeeded at 3021 (offset 20 lines).
Hunk #6 succeeded at 3197 (offset 20 lines).
Hunk #7 succeeded at 3875 (offset 20 lines).
patching file ssl/ssl_locl.h
Hunk #3 succeeded at 2300 (offset -2 lines).
Hunk #4 succeeded at 2310 (offset -2 lines).
Hunk #5 succeeded at 2400 (offset -2 lines).
patching file ssl/statem/statem_srvr.c
Hunk #1 succeeded at 1750 (offset 6 lines).
Hunk #2 succeeded at 1931 (offset 6 lines).
Hunk #3 succeeded at 1940 (offset 6 lines).
Hunk #4 succeeded at 2256 (offset 6 lines).
$ git branch -vv
master 0db957d [origin/master:落后 629] Add a GMAC demonstration program.
* stable f408e2a [origin/OpenSSL_1_1_1-stable] Rearrange the inclusion of curve448/curve448_lcl.h
Thanks
in the patch , it contains this:
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c 2018-10-02 15:13:36.414143028 +0000
+++ b/src/event/ngx_event_openssl.c 2018-10-04 13:58:28.756873433 +0000
@@ -1456,6 +1456,13 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->read->error = 1;
+
+ if (sslerr == SSL_ERROR_SSL) {
+ ERR_peek_error();
+ ERR_clear_error();
+ return NGX_ERROR;
+ }
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
return NGX_ERROR;
but in this commit :
Not compatible with ssl_early_data.
i use BoringSSL and ssl_early_data on;
directive.
Strict-SNI is awesome, but I found that it only validate domain name. When server_name
is set to a IP address (https://115.159.188.148), Nginx will return ERR_SSL_UNRECOGNIZED_NAME_ALERT error.
With Strict-SNI enable,
$ openssl s_client -connect 115.159.188.148:443
CONNECTED(00000003)
140135929659840:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1399:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1543853957
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
With Strict-SNI disable,
$ openssl s_client -connect 115.159.188.148:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = US, ST = CO, L = Denver, O = TrustOcean Ltd., OU = ECC Domain Validation Secure Server - 2018, CN = TrustOcean SSL CA - ECC - 2018
verify return:1
depth=0 CN = giuem.com
verify return:1
---
Certificate chain
0 s:/CN=giuem.com
i:/C=US/ST=CO/L=Denver/O=TrustOcean Ltd./OU=ECC Domain Validation Secure Server - 2018/CN=TrustOcean SSL CA - ECC - 2018
1 s:/C=US/ST=CO/L=Denver/O=TrustOcean Ltd./OU=ECC Domain Validation Secure Server - 2018/CN=TrustOcean SSL CA - ECC - 2018
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdDCCBBqgAwIBAgIRALGKW4Iu4GYlcFoTblsWpMAwCgYIKoZIzj0EAwIwgaMx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRgwFgYD
VQQKEw9UcnVzdE9jZWFuIEx0ZC4xMzAxBgNVBAsTKkVDQyBEb21haW4gVmFsaWRh
dGlvbiBTZWN1cmUgU2VydmVyIC0gMjAxODEnMCUGA1UEAxMeVHJ1c3RPY2VhbiBT
U0wgQ0EgLSBFQ0MgLSAyMDE4MB4XDTE4MTIwMzAwMDAwMFoXDTE5MDMwMzIzNTk1
OVowFDESMBAGA1UEAxMJZ2l1ZW0uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEl0UHaGSKQ1Nx+fouu1y9oETNDOI1Mqf3a78ntg7aTYKTBGmcf6zBWUE5/Bpf
cYp3EKkh66+psdRWLIgtH6y+yqOCArswggK3MB8GA1UdIwQYMBaAFDiF49YKamxI
k2wf+YG2R9vIJJ9lMB0GA1UdDgQWBBSiKA7abgcMCQPOw2vnTI6ktvFsHzAOBgNV
HQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwSwYDVR0gBEQwQjA2BgsrBgEEAbIxAQICPzAnMCUGCCsGAQUFBwIB
FhlodHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATBGBgNVHR8EPzA9
MDugOaA3hjVodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVHJ1c3RPY2VhblNTTENB
LUVDQy0yMDE4LmNybDB4BggrBgEFBQcBAQRsMGowQQYIKwYBBQUHMAKGNWh0dHA6
Ly9jcnQudXNlcnRydXN0LmNvbS9UcnVzdE9jZWFuU1NMQ0EtRUNDLTIwMTguY3J0
MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMCAGA1UdEQQZ
MBeCCWdpdWVtLmNvbYcEc5+8lIcEdxwCIzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA
8QB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZ3SNoukAAAQD
AEcwRQIgCrCtafblX97qkZR0fzkkeb+ZmJ0Sy9oDSdOqVrfC5/YCIQCZPlQNxWhi
vAvYcLrWinilsV+rOCPplR6hKzlfE4axKwB3AHR+2oMxrTMQkSGcziVPQnDCv/1e
QiAIxjc1eeYQe8xWAAABZ3SNoycAAAQDAEgwRgIhAOinNvBggMhnUuUdjHVSGx4L
6xS0pt+Cjff+SCSY0u4fAiEAs+r4Rnq1ZY2ZK3ArJZZO7UdNJ0r5HhcW/NSK2rLP
K+owCgYIKoZIzj0EAwIDSAAwRQIhAPnZzWcrZAb44txbtRkeDnlMmTHGtTlgdaSL
ekHicTjaAiA+G1fgffGrx7mhletd/6ifzG64RIECSsUrSEYVMFD96g==
-----END CERTIFICATE-----
subject=/CN=giuem.com
issuer=/C=US/ST=CO/L=Denver/O=TrustOcean Ltd./OU=ECC Domain Validation Secure Server - 2018/CN=TrustOcean SSL CA - ECC - 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3384 bytes and written 261 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-CHACHA20-POLY1305
Session-ID: E8F080DC8E9B1DBE0744EE6AD114355AF878FA24DE51E2B6BC992FCB593F4738
Session-ID-ctx:
Master-Key: 764A48BCF33970A8A6BF53FCA978A7B2615846E40DE16FD5C914A7D9B98CC563963EA1A855CA9EFAC9DF3444C2A14469
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1543854011
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
OpenSSL is the lastest version in GitHub.
patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch
patching file crypto/err/openssl.txt
Hunk #1 succeeded at 2922 (offset 30 lines).
Hunk #2 succeeded at 3030 (offset 30 lines).
patching file doc/man1/ciphers.pod
patching file include/openssl/sslerr.h
patching file ssl/s3_lib.c
Hunk #6 succeeded at 4115 (offset -9 lines).
Hunk #7 succeeded at 4135 (offset -9 lines).
Hunk #8 succeeded at 4179 (offset -9 lines).
Hunk #9 succeeded at 4216 (offset -9 lines).
Hunk #10 succeeded at 4247 (offset -9 lines).
Hunk #11 succeeded at 4266 (offset -9 lines).
Hunk #12 FAILED at 4290.
Hunk #13 succeeded at 4300 (offset -9 lines).
1 out of 13 hunks FAILED -- saving rejects to file ssl/s3_lib.c.rej
patching file ssl/ssl_ciph.c
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
Hunk #3 succeeded at 2558 (offset -7 lines).
Hunk #4 succeeded at 2634 (offset -7 lines).
Hunk #5 succeeded at 3077 (offset -9 lines).
Hunk #6 succeeded at 3253 (offset -9 lines).
Hunk #7 succeeded at 3929 (offset -9 lines).
patching file ssl/ssl_locl.h
Hunk #2 succeeded at 1356 (offset 174 lines).
patching file ssl/statem/statem_srvr.c
git clone https://github.com/openssl/openssl
Cloning into 'openssl'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 346217 (delta 0), reused 0 (delta 0), pack-reused 346213
Receiving objects: 100% (346217/346217), 174.81 MiB | 35.68 MiB/s, done.
cd /root/openssl: 0% (0/238343)
Resolving deltas: 100% (238343/238343), done.
Checking out files: 100% (18637/18637), done.
cd /root/openssl
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-3.0.0-dev_ciphers.patch | patch -p1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 47490 100 47490 0 0 1855k 0 --:--:-- --:--:-- --:--:-- 1855k
patching file crypto/err/openssl.txt
Hunk #1 succeeded at 3016 (offset 16 lines).
Hunk #2 succeeded at 3124 (offset 16 lines).
patching file doc/man1/openssl-ciphers.pod
Hunk #1 succeeded at 401 (offset 2 lines).
patching file include/openssl/sslerr.h
Hunk #1 succeeded at 609 (offset 6 lines).
Hunk #2 succeeded at 741 (offset 6 lines).
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
can't find file to patch at input line 1022
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|index b66979b4da..80109b925c 100644
|--- a/ssl/ssl_locl.h
|+++ b/ssl/ssl_locl.h
--------------------------
File to patch:
Skip this patch? [y] y
Skipping patch.
5 out of 5 hunks ignored
patching file ssl/statem/statem_srvr.c
Just a heads up with Nginx 1.15.3 master branch, HPACK patch will break again it seems
ccache gcc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf -Wno-deprecated-declarations -DNDK_SET_VAR -DNDK_UPSTREAM_LIST -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/include -I ../ngx_devel_kit-0.3.0/objs -I objs/addon/ndk -I ../ngx_devel_kit-0.3.0/src -I ../ngx_devel_kit-0.3.0/objs -I objs/addon/ndk -I ../pcre-8.42 -I ../openssl-tls1.3/.openssl/include -I ../zlib-cloudflare-1.3.0 -I objs -I src/http -I src/http/modules -I src/http/v2 -I ../ngx_devel_kit-0.3.0/src \
-o objs/src/http/modules/ngx_http_index_module.o \
src/http/modules/ngx_http_index_module.c
src/http/v2/ngx_http_v2.c: In function ‘ngx_http_v2_state_settings_params’:
src/http/v2/ngx_http_v2.c:2083:9: error: duplicate case value
case NGX_HTTP_V2_HEADER_TABLE_SIZE_SETTING:
^~~~
src/http/v2/ngx_http_v2.c:2078:9: note: previously used here
case NGX_HTTP_V2_HEADER_TABLE_SIZE_SETTING:
^~~~
make[1]: *** [objs/src/http/v2/ngx_http_v2.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/svr-setup/nginx-master'
make: *** [build] Error 2
Hello,
Thanks for the patches!
The openssl-1.1.1h-chacha_draft
patch fails when applying to the OpenSSL version 1.1.1h
.
wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz
tar -xf openssl-1.1.1h.tar.gz
cd openssl-1.1.1h/
wget https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-1.1.1h-chacha_draft.patch
$ patch --dry-run -p1 < openssl-1.1.1h-chacha_draft.patch
checking file crypto/evp/c_allc.c
checking file crypto/evp/e_chacha20_poly1305.c
checking file crypto/objects/obj_dat.h
checking file crypto/objects/obj_mac.num
checking file crypto/objects/objects.txt
checking file include/openssl/evp.h
checking file include/openssl/obj_mac.h
checking file include/openssl/ssl.h
checking file include/openssl/tls1.h
checking file ssl/s3_lib.c
checking file ssl/ssl_ciph.c
checking file ssl/ssl_local.h
checking file util/libcrypto.num
Hunk #1 FAILED at 4590.
1 out of 1 hunk FAILED
Since Nginx 1.19.4 is released, the "strict-sni" patch is no longer needs to be used due to the feature ssl_reject_handshake.
This issue is only for telling my huge thanks to you for your repo advanced my server's security. I will close the issue later.
Update: Nginx 1.19.4 does not implement the feature of strict_sni_header
.
Since Nginx already make the feature which works same as strict_sni
, I hope the maintainer can make the strict_sni_header
-only patch for the Nginx 1.19.4 and above.
Nginx version: 1.18.0
OpenSSL version: Compatible OpenSSL-3.0.0-dev-revert (OpenSSL, 25746 commits)
Patch logs:
patching file crypto/err/openssl.txt
�[91mPossibly reversed hunk 1 at 3476
Hunk 1 FAILED 3009/3009.
SM2_R_INVALID_FIELD:105:invalid field
SM2_R_NO_PARAMETERS_SET:109:no parameters set
SM2_R_USER_ID_TOO_LARGE:106:user id too large
+SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
application data after close notify
SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
�[0m
�[91mPossibly reversed hunk 1 at 814
Hunk 1 FAILED 405/405.
=back
+=head1 EQUAL PREFERENCE GROUPS
+
+If configuring a server, one may also configure equal-preference groups to
+partially respect the client's preferences when
+B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
+group have equal priority and use the client order. This may be used to
+enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
+based on client preferences. An equal-preference is specified with square
+brackets, combining multiple selectors separated by |. For example:
+
+ [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
+
+ Once an equal-preference group is used, future directives must be
+ opcode-less.
+
=head1 CIPHER SUITE NAMES
The following lists give the SSL or TLS cipher suites names from the
�[0m
�[91mHunk 1 FAILED 10/10.
#ifndef OPENSSL_SSLERR_H
# define OPENSSL_SSLERR_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-# define HEADER_SSLERR_H
-# endif
# include <openssl/opensslconf.h>
# include <openssl/symhacks.h>
�[0m
�[91mHunk 6 FAILED 266/272.
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
�[0m
�[91mPossibly reversed hunk 1 at 2276
Hunk 1 FAILED 193/193.
const SSL_CIPHER *cipher;
int active;
int dead;
+ int in_group;
struct cipher_order_st *next, *prev;
} CIPHER_ORDER;
�[0m
�[91mPossibly reversed hunk 1 at 571
Hunk 1 FAILED 14/14.
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA SSL_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED),
+ "algorithm fetch failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
"application data after close notify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
�[0m
�[91mPossibly reversed hunk 1 at 5904
Hunk 1 FAILED 1127/1127.
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
+void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
+ *cipher_list)
+{
+ sk_SSL_CIPHER_free(cipher_list->ciphers);
+ OPENSSL_free(cipher_list->in_group_flags);
+ OPENSSL_free(cipher_list);
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
+ *cipher_list)
+{
+ struct ssl_cipher_preference_list_st* ret = NULL;
+ size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
+
+ ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+ if (!ret)
+ goto err;
+ ret->ciphers = NULL;
+ ret->in_group_flags = NULL;
+ ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
+ if (!ret->ciphers)
+ goto err;
+ ret->in_group_flags = OPENSSL_malloc(n);
+ if (!ret->in_group_flags)
+ goto err;
+ memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
+ return ret;
+
+err:
+ if (ret->ciphers)
+ sk_SSL_CIPHER_free(ret->ciphers);
+ if (ret)
+ OPENSSL_free(ret);
+ return NULL;
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
+{
+ struct ssl_cipher_preference_list_st* ret = NULL;
+ size_t n = sk_SSL_CIPHER_num(ciphers);
+
+ ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+ if (!ret)
+ goto err;
+ ret->ciphers = NULL;
+ ret->in_group_flags = NULL;
+ ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
+ if (!ret->ciphers)
+ goto err;
+ ret->in_group_flags = OPENSSL_malloc(n);
+ if (!ret->in_group_flags)
+ goto err;
+ memset(ret->in_group_flags, 0, n);
+ return ret;
+
+err:
+ if (ret->ciphers)
+ sk_SSL_CIPHER_free(ret->ciphers);
+ if (ret)
+ OPENSSL_free(ret);
+ return NULL;
+}
+
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
�[0m
�[91mPossibly reversed hunk 1 at 2775
Hunk 1 FAILED 763/763.
size_t max_size);
size_t ssl_hmac_size(const SSL_HMAC *ctx);
+/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
+ * equal-preference groups. For TLS clients, the groups are moot because the
+ * server picks the cipher and groups cannot be expressed on the wire. However,
+ * for servers, the equal-preference groups allow the client's preferences to
+ * be partially respected. (This only has an effect with
+ * SSL_OP_CIPHER_SERVER_PREFERENCE).
+ *
+ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
+ * All elements of a group have the same priority: no ordering is expressed
+ * within a group.
+ *
+ * The values in |ciphers| are in one-to-one correspondence with
+ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
+ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
+ * indicate that the corresponding SSL_CIPHER is not the last element of a
+ * group, or 0 to indicate that it is.
+ *
+ * For example, if |in_group_flags| contains all zeros then that indicates a
+ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
+ * of the group (i.e. they are all in a one-element group).
+ *
+ * For a more complex example, consider:
+ * ciphers: A B C D E F
+ * in_group_flags: 1 1 0 0 1 0
+ *
+ * That would express the following, order:
+ *
+ * A E
+ * B -> D -> F
+ * C
+ */
+struct ssl_cipher_preference_list_st {
+ STACK_OF(SSL_CIPHER) *ciphers;
+ uint8_t *in_group_flags;
+};
+
+
struct ssl_ctx_st {
OPENSSL_CTX *libctx;
const SSL_METHOD *method;
- STACK_OF(SSL_CIPHER) *cipher_list;
+ struct ssl_cipher_preference_list_st *cipher_list;
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
�[0m
�[91mHunk 1 FAILED 1774/1774.
/* For TLSv1.3 we must select the ciphersuite *before* session resumption */
if (SSL_IS_TLS13(s)) {
const SSL_CIPHER *cipher =
- ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
�[0m
�[91mHunk 1 FAILED 3340/3340.
PEM_read_PKCS8_PRIV_KEY_INFO 3410 3_0_0 EXIST::FUNCTION:STDIO
TS_VERIFY_CTX_new 3411 3_0_0 EXIST::FUNCTION:TS
BUF_MEM_new_ex 3412 3_0_0 EXIST::FUNCTION:
-RSA_padding_add_X931 3413 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_X931 3413 3_0_0 EXIST::FUNCTION:RSA
BN_get0_nist_prime_256 3414 3_0_0 EXIST::FUNCTION:
CRYPTO_memcmp 3415 3_0_0 EXIST::FUNCTION:
DH_check_pub_key 3416 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
ASN1_mbstring_copy 3417 3_0_0 EXIST::FUNCTION:
PKCS7_set_type 3418 3_0_0 EXIST::FUNCTION:
BIO_gets 3419 3_0_0 EXIST::FUNCTION:
-RSA_padding_check_PKCS1_type_1 3420 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_PKCS1_type_1 3420 3_0_0 EXIST::FUNCTION:RSA
UI_ctrl 3421 3_0_0 EXIST::FUNCTION:
i2d_X509_REQ_fp 3422 3_0_0 EXIST::FUNCTION:STDIO
BN_BLINDING_convert_ex 3423 3_0_0 EXIST::FUNCTION:
�[0m
patching file doc/man1/openssl-ciphers.pod.in
patching file include/openssl/sslerr.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
patching file ssl/ssl_local.h
patching file ssl/statem/statem_srvr.c
patching file util/libcrypto.num
If skip this patch, nginx will compile successfully.
git clone https://github.com/openssl/openssl
cd /root/openssl
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-3.0.0-dev_ciphers.patch | patch -p1
./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--with-http_v2_hpack_enc \
--without-http_charset_module \
--without-http_ssi_module \
--without-http_access_module \
--without-http_mirror_module \
--without-http_userid_module \
--without-http_autoindex_module \
--without-http_geo_module \
--without-http_map_module \
--without-http_split_clients_module \
--without-http_referer_module \
--without-http_fastcgi_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-http_grpc_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-DTCP_FASTOPEN=23 -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \
--with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-z,now -pie' \
--with-pcre-jit \
--with-openssl=/root/openssl \
--with-openssl-opt='enable-aria enable-ec_nistp_64_gcc_128 no-nextprotoneg' \
--add-module=/root/headers-more-nginx-module \
--add-module=/root/ngx_brotli \
&& make install
gcc -I. -Iinclude -fPIC -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/root/openssl/.openssl/ssl\"" -DENGINESDIR="\"/root/openssl/.openssl/lib/engines-3\"" -DMODULESDIR="\"/root/openssl/.openssl/lib/ossl-modules\"" -DNDEBUG -MMD -MF ssl/statem/libssl-lib-statem.d.tmp -MT ssl/statem/libssl-lib-statem.o -c -o ssl/statem/libssl-lib-statem.o ssl/statem/statem.c
gcc -I. -Iinclude -fPIC -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/root/openssl/.openssl/ssl\"" -DENGINESDIR="\"/root/openssl/.openssl/lib/engines-3\"" -DMODULESDIR="\"/root/openssl/.openssl/lib/ossl-modules\"" -DNDEBUG -MMD -MF ssl/statem/libssl-lib-statem_clnt.d.tmp -MT ssl/statem/libssl-lib-statem_clnt.o -c -o ssl/statem/libssl-lib-statem_clnt.o ssl/statem/statem_clnt.c
gcc -I. -Iinclude -fPIC -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/root/openssl/.openssl/ssl\"" -DENGINESDIR="\"/root/openssl/.openssl/lib/engines-3\"" -DMODULESDIR="\"/root/openssl/.openssl/lib/ossl-modules\"" -DNDEBUG -MMD -MF ssl/statem/libssl-lib-statem_dtls.d.tmp -MT ssl/statem/libssl-lib-statem_dtls.o -c -o ssl/statem/libssl-lib-statem_dtls.o ssl/statem/statem_dtls.c
gcc -I. -Iinclude -fPIC -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/root/openssl/.openssl/ssl\"" -DENGINESDIR="\"/root/openssl/.openssl/lib/engines-3\"" -DMODULESDIR="\"/root/openssl/.openssl/lib/ossl-modules\"" -DNDEBUG -MMD -MF ssl/statem/libssl-lib-statem_lib.d.tmp -MT ssl/statem/libssl-lib-statem_lib.o -c -o ssl/statem/libssl-lib-statem_lib.o ssl/statem/statem_lib.c
gcc -I. -Iinclude -fPIC -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/root/openssl/.openssl/ssl\"" -DENGINESDIR="\"/root/openssl/.openssl/lib/engines-3\"" -DMODULESDIR="\"/root/openssl/.openssl/lib/ossl-modules\"" -DNDEBUG -MMD -MF ssl/statem/libssl-lib-statem_srvr.d.tmp -MT ssl/statem/libssl-lib-statem_srvr.o -c -o ssl/statem/libssl-lib-statem_srvr.o ssl/statem/statem_srvr.c
ssl/statem/statem_srvr.c: In function 'tls_early_post_process_client_hello':
ssl/statem/statem_srvr.c:1946:68: error: 'SSL_SESSION' {aka 'struct ssl_session_st'} has no member named 'ciphers'; did you mean 'cipher'?
s->session->ciphers);
^~~~~~~
cipher
make[3]: *** [Makefile:6934: ssl/statem/libssl-lib-statem_srvr.o] Error 1
make[3]: Leaving directory '/root/openssl'
make[2]: *** [Makefile:165: all] Error 2
make[2]: Leaving directory '/root/openssl'
make[1]: *** [objs/Makefile:1436: /root/openssl/.openssl/include/openssl/ssl.h] Error 2
make[1]: Leaving directory '/root/nginx-1.17.0'
make: *** [Makefile:8: build] Error 2
The Cloudflare patch can enable Both CHACHA20-RFC(0xcca8-0xccaa) ciphers and CHACH20-Draft(0xcc13-0xcc15) ciphers in Openssl 1.0.2f-j
I tried to make the Cloudflare patch compatible with Openssl-1.1.1-pre9 by myself, by adding the CHACHA-Draft back to it, but I met a lot of difficulties and caused many errors.
Can you please make such a patch that enable both the RFC and Draft CHACHA20 ciphers in Openssl 1.1.0
I think it would be very useful for everyone
➜ openssl git:(stable) git branch -vv
master 0db957d [origin/master:落后 465] Add a GMAC demonstration program.
* stable a6e50cb [origin/OpenSSL_1_1_1-stable:领先 1] openssl-equal-1.1.1a_ciphers.patch
➜ openssl git:(stable) curl -L https://github.com/hakasenyang/openssl-patch/raw/master/openssl-1.1.1a-chacha_draft.patch | patch -p1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 166 100 166 0 0 49 0 0:00:03 0:00:03 --:--:-- 49
100 21611 100 21611 0 0 2838 0 0:00:07 0:00:07 --:--:-- 6668
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
patching file crypto/objects/obj_dat.h
patching file crypto/objects/obj_mac.num
patching file crypto/objects/objects.txt
patching file include/openssl/evp.h
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
Hunk #1 succeeded at 607 (offset 10 lines).
Hunk #2 succeeded at 777 (offset 10 lines).
Hunk #3 succeeded at 1108 (offset 10 lines).
patching file ssl/s3_lib.c
Hunk #1 succeeded at 2088 (offset 6 lines).
patching file ssl/ssl_ciph.c
Hunk #3 succeeded at 278 (offset 3 lines).
Hunk #4 succeeded at 1873 (offset 81 lines).
Hunk #5 succeeded at 2200 (offset 81 lines).
patching file ssl/ssl_locl.h
patching file util/libcrypto.num
Hunk #1 FAILED at 4577.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej
same as #29, on with current openssl master
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.