In order to easily build, I made sets of patches that resolved conflicts (chacha20-poly1305, camellia-gcm, equal-preference-group).
- Required packages:
packaging-dev
,lzip
/ Preparation:sudo apt-get build-dep
openssl
oropenssl1.0
In order to easily build, I made sets of patches that resolved conflicts (chacha20-poly1305, camellia-gcm, equal-preference-group).
packaging-dev
, lzip
/ Preparation: sudo apt-get build-dep
openssl
or openssl1.0
Implement camellia-gcm functions into libcrypto and camellia-gcm ciphersuites from RFC 6367 into libssl. And TLS 1.3 camellia-gcm ciphersuites are supported for private use in OpenSSL 1.1.1 and later version.
Reference: openssl/openssl#374
For compatibility of applications which use EVP_AEAD APIs, there are a patch and same debian files here.
Your application gets source level compatibility with BoringSSL, LibreSSL and h-yamamo's openssl-chacha20poly1305.
packaging-dev
, lzip
/ Preparation: sudo apt-get build-dep openssl
Support TLS_ECDHE_* ciphersuites | |
you can specify e.g. --tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | |
supported curve is only NIST P-256. | |
if you want to change the curve to P-384 or P-521 | |
change NID_X9_62_prime256v1 to NID_secp384r1 or NID_secp521r1. | |
--- 2.3.10-1ubuntu2/src/openvpn/ssl_openssl.c 2016-01-04 12:17:32.000000000 +0000 | |
+++ b/src/openvpn/ssl_openssl.c 2016-09-19 20:00:00.000000000 +0900 |
Support equal preference group | |
* This patch requires the preceding chacha20poly1305.patch. | |
* Ciphersuites in equal preference group are hard coded. | |
The following ciphersuites: | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
TLS_ECDHE_RSA_CHACHA20_POLY1305_OLD | |
TLS_ECDHE_ECDSA_CHACHA20_POLY1305_OLD |
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm | |
--- a/openssl.ld 2016-09-04 00:00:00.000000000 +0900 | |
+++ b/openssl.ld 2016-09-04 20:00:00.000000000 +0900 | |
@@ -4482,6 +4482,8 @@ | |
EVP_AEAD_CTX_cleanup; | |
EVP_AEAD_CTX_seal; | |
EVP_AEAD_CTX_open; | |
+ EVP_aead_camellia_128_gcm; | |
+ EVP_aead_camellia_256_gcm; | |
} OPENSSL_1.0.0; |
diff -u openssl-1.0.1t-1+deb8u2+ore1 +camellia-gcm | |
--- a/openssl.ld 2016-05-20 03:00:00.000000000 +0900 | |
+++ b/openssl.ld 2016-05-22 12:00:00.000000000 +0900 | |
@@ -4628,6 +4628,8 @@ | |
EVP_AEAD_CTX_cleanup; | |
EVP_AEAD_CTX_seal; | |
EVP_AEAD_CTX_open; | |
+ EVP_aead_camellia_128_gcm; | |
+ EVP_aead_camellia_256_gcm; | |
} OPENSSL_1.0.0; |
diff -u openssl-1.0.2g-1ubuntu4+ore1 +camellia-gcm | |
--- a/openssl.ld 2016-04-17 15:00:00.000000000 +0900 | |
+++ b/openssl.ld 2016-04-23 22:00:00.000000000 +0900 | |
@@ -4482,6 +4482,8 @@ | |
EVP_AEAD_CTX_cleanup; | |
EVP_AEAD_CTX_seal; | |
EVP_AEAD_CTX_open; | |
+ EVP_aead_camellia_128_gcm; | |
+ EVP_aead_camellia_256_gcm; | |
} OPENSSL_1.0.0; |
Improve TLS Extensions signature and hash algorithm | |
Reference: | |
Move signing digest out of CERT. | |
https://github.com/openssl/openssl/commit/d376e57d6826e56f4c922806e088a111c52f9e92 | |
diff -ur openssl-1.0.1k-3+deb8u2 openssl-1.0.1k-3+deb8u2+alg | |
--- a/ssl/ssl_lib.c 2015-01-08 23:00:56.000000000 +0900 | |
+++ b/ssl/ssl_lib.c 2016-02-19 21:58:14.000000000 +0900 | |
@@ -2392,6 +2392,9 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER * |
Improve TLS Extensions signature and hash algorithm | |
Reference: | |
Move signing digest out of CERT. | |
https://github.com/openssl/openssl/commit/d376e57d6826e56f4c922806e088a111c52f9e92 | |
diff -ur openssl-1.0.1f-1ubuntu2.16 1.0.1f-1ubuntu2.16+alg | |
--- a/ssl/ssl_lib.c 2014-10-15 16:56:03.000000000 +0000 | |
+++ b/ssl/ssl_lib.c 2016-02-19 21:58:14.000000000 +0900 | |
@@ -2406,6 +2406,9 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER * |