From 2196a24f96caa8da398c9c883f8a21a7080dc813 Mon Sep 17 00:00:00 2001 From: Roman Hoellen Date: Fri, 13 Apr 2018 17:32:19 +0200 Subject: [PATCH] [boring-nginx] update Dockerfile --- boring-nginx/Dockerfile | 8 +++----- boring-nginx/README.md | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile index 19aa823..a93c12a 100644 --- a/boring-nginx/Dockerfile +++ b/boring-nginx/Dockerfile @@ -64,12 +64,10 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ && cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \ && git clone https://boringssl.googlesource.com/boringssl --depth=1 \ && cd boringssl \ - && sed -i 's@out \([>=]\) TLS1_2_VERSION@out \1 TLS1_3_VERSION@' ssl/ssl_lib.cc \ && sed -i 's@ssl->version[ ]*=[ ]*TLS1_2_VERSION@ssl->version = TLS1_3_VERSION@' ssl/s3_lib.cc \ - && sed -i 's@(SSL3_VERSION, TLS1_2_VERSION@(SSL3_VERSION, TLS1_3_VERSION@' ssl/ssl_test.cc \ - && sed -i 's@\$shaext[ ]*=[ ]*0;@\$shaext = 1;@' crypto/*/asm/*.pl \ - && sed -i 's@\$avx[ ]*=[ ]*[0|1];@\$avx = 2;@' crypto/*/asm/*.pl \ - && sed -i 's@\$addx[ ]*=[ ]*0;@\$addx = 1;@' crypto/*/asm/*.pl \ + && sed -i 's@\$shaext[ ]*=[ ]*0;@\$shaext = 1;@' crypto/*/*/asm/*.pl \ + && sed -i 's@\$avx[ ]*=[ ]*[0|1];@\$avx = 2;@' crypto/*/*/asm/*.pl \ + && sed -i 's@\$addx[ ]*=[ ]*0;@\$addx = 1;@' crypto/*/*/asm/*.pl \ && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \ && make -j ${NB_CORES} && cd .. \ && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \ diff --git a/boring-nginx/README.md b/boring-nginx/README.md index 369ebf9..0daa831 100644 --- a/boring-nginx/README.md +++ b/boring-nginx/README.md @@ -9,7 +9,7 @@ This is nginx statically linked against BoringSSL, with embedded Brotli support. - Thanks to [Wonderfall](https://github.com/wonderfall/dockerfiles) - Based on Alpine Linux. - nginx built against **BoringSSL** with SSE/SHA, and AVX2 SIMD-instructions. -- **TLS 1.3** patch : use of TLS 1.3 DRAFT is enforced (haven't found another way yet). +- **TLS 1.3** enabled - Built using hardening gcc flags. - Dynamic TLS records patch (cloudflare). - TTP/2 (+NPN) support.