Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A patch to nginx allows you to change TLS 1.3 cipher suites
You can specify a perfered TLS 1.3 cipher suites list in Nginx by the following setting:
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256|ECDHE+AESGCM:HIGH:!aNULL:!eNULL:!MD5;
The TLS 1.3 and TLS 1.2- cipher suites are separated by a '|', notice that you neet to list the full name of TLS 1.3 cipher suites according to OpenSSL Wiki.
Only tested on nginx/1.15.7 with OpenSSL 1.1.1a.
See https://x-nagi.com/2018/11/nginx-tls1-3-patch.html for details.
---
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index a281fba..7e2809b 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -662,7 +662,35 @@ ngx_int_t
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers)
{
- if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
+ u_char *ciphers_data;
+
+ ciphers_data = ciphers->data;
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ /* Find TLS 1.3 ciphersuite config */
+ size_t i;
+ for (i = 0; i < ciphers->len; i++)
+ {
+ if (ciphers->data[i] == '|')
+ {
+ break;
+ }
+ }
+ if (i < ciphers->len)
+ {
+ ciphers->data[i] = '\0';
+ if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *)ciphers->data) == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_ciphersuites(\"%V\") failed",
+ ciphers);
+ return NGX_ERROR;
+ }
+ ciphers->data[i] = '|';
+ ciphers_data = &(ciphers->data[i + 1]);
+ }
+#endif
+
+ if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers_data) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_cipher_list(\"%V\") failed",
ciphers);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment