hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-11-04 00:06:44 +00:00
Code Issues Projects Releases Wiki Activity

boring-nginx: enable TLS 1.3 by default

Browse Source
This commit is contained in:
Wonderfall
2016-11-25 15:34:43 +00:00
parent 3dbde9e891
commit 80b8a10c8c
2 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
boring-nginx/Dockerfile
View File

@@ -7,6 +7,8 @@ ARG NGINX_VERSION=1.11.6
ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8"
ARG BUILD_CORES ARG BUILD_CORES
COPY tls1.3.patch /tmp/tls1.3.patch
RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
&& NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
&& BUILD_DEPS=" \ && BUILD_DEPS=" \
@@ -41,6 +43,7 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a
&& git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \ && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
&& git clone https://boringssl.googlesource.com/boringssl --depth=1 \ && git clone https://boringssl.googlesource.com/boringssl --depth=1 \
&& cd boringssl \ && cd boringssl \
&& patch -p1 < /tmp/tls1.3.patch \
&& mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \ && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \
&& make -j ${NB_CORES} && cd .. \ && make -j ${NB_CORES} && cd .. \
&& mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \ && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \

59
boring-nginx/tls1.3.patch Normal file
View File

@@ -0,0 +1,59 @@
From c3f389dade719b7b34825d62404a88cc0d618631 Mon Sep 17 00:00:00 2001
From: Steven Valdez <svaldez@google.com>
Date: Thu, 13 Oct 2016 14:33:35 -0400
Subject: [PATCH] Enabling TLS 1.3 (DRAFT).
Change-Id: I2e4f0db3b8630f990911c8e104f60c048bb7450d
---
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 9cc0d9d..d4db949 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -189,7 +189,7 @@
* TODO(davidben): Move this field into |s3|, have it store the normalized
* protocol version, and implement this pre-negotiation quirk in |SSL_version|
* at the API boundary rather than in internal state. */
- ssl->version = TLS1_2_VERSION;
+ ssl->version = TLS1_3_VERSION;
return 1;
err:
return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d8270f3..57343a4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -965,10 +965,6 @@
uint16_t version) {
if (version == 0) {
*out = method->max_version;
- /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
- if (*out > TLS1_2_VERSION) {
- *out = TLS1_2_VERSION;
- }
return 1;
}
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 5eede01..d847030 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -2410,7 +2410,7 @@
}
if (ctx->min_version != SSL3_VERSION ||
- ctx->max_version != TLS1_2_VERSION) {
+ ctx->max_version != TLS1_3_VERSION) {
fprintf(stderr, "Default TLS versions were incorrect (%04x and %04x).\n",
ctx->min_version, ctx->max_version);
return false;
@@ -2574,8 +2574,7 @@
!TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
!TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
!TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
- // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
- !TestDefaultVersion(SSL3_VERSION, TLS1_2_VERSION, &TLS_method) ||
+ !TestDefaultVersion(SSL3_VERSION, TLS1_3_VERSION, &TLS_method) ||
!TestDefaultVersion(SSL3_VERSION, SSL3_VERSION, &SSLv3_method) ||
!TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) ||
!TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) ||