diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile index be90646..69e1b87 100644 --- a/boring-nginx/Dockerfile +++ b/boring-nginx/Dockerfile @@ -2,12 +2,10 @@ FROM alpine:edge ENV UID=991 GID=991 -ARG NGINX_VERSION=1.11.9 +ARG NGINX_VERSION=1.11.10 ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" ARG BUILD_CORES -COPY tls1.3.patch /tmp/tls1.3.patch - RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ && BUILD_DEPS=" \ @@ -25,7 +23,7 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a gnupg \ cmake \ go" \ - && apk -U add \ + && apk -U upgrade && apk add \ ${BUILD_DEPS} \ pcre \ zlib \ @@ -43,7 +41,6 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a && git clone https://boringssl.googlesource.com/boringssl --depth=1 \ && cd /tmp/ngx_brotli && git submodule update --init \ && cd /tmp/boringssl \ - && patch -p1 < /tmp/tls1.3.patch \ && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \ && make -j ${NB_CORES} && cd .. \ && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \ diff --git a/boring-nginx/tls1.3.patch b/boring-nginx/tls1.3.patch deleted file mode 100644 index 57336a4..0000000 --- a/boring-nginx/tls1.3.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 36e2f3cf8e8a2f41b7ec1d7040d589974bfad93e Mon Sep 17 00:00:00 2001 -From: Steven Valdez -Date: Thu, 13 Oct 2016 14:33:35 -0400 -Subject: [PATCH] Enabling TLS 1.3 (DRAFT). - -Change-Id: I2e4f0db3b8630f990911c8e104f60c048bb7450d ---- - -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index 3b14411..802ed2f 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -187,7 +187,7 @@ - * TODO(davidben): Move this field into |s3|, have it store the normalized - * protocol version, and implement this pre-negotiation quirk in |SSL_version| - * at the API boundary rather than in internal state. */ -- ssl->version = TLS1_2_VERSION; -+ ssl->version = TLS1_3_VERSION; - return 1; - } - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 89d6f15..9c5afae 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -999,10 +999,6 @@ - uint16_t version) { - if (version == 0) { - *out = method->max_version; -- /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */ -- if (*out > TLS1_2_VERSION) { -- *out = TLS1_2_VERSION; -- } - return 1; - } - -diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc -index b74e51e..e8d1847 100644 ---- a/ssl/ssl_test.cc -+++ b/ssl/ssl_test.cc -@@ -2541,7 +2541,7 @@ - } - - if (ctx->min_version != SSL3_VERSION || -- ctx->max_version != TLS1_2_VERSION) { -+ ctx->max_version != TLS1_3_VERSION) { - fprintf(stderr, "Default TLS versions were incorrect (%04x and %04x).\n", - ctx->min_version, ctx->max_version); - return false; -@@ -2778,8 +2778,7 @@ - !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) || - !TestBadSSL_SESSIONEncoding(kBadSessionVersion) || - !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) || -- // TODO(svaldez): Update this when TLS 1.3 is enabled by default. -- !TestDefaultVersion(SSL3_VERSION, TLS1_2_VERSION, &TLS_method) || -+ !TestDefaultVersion(SSL3_VERSION, TLS1_3_VERSION, &TLS_method) || - !TestDefaultVersion(SSL3_VERSION, SSL3_VERSION, &SSLv3_method) || - !TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) || - !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) ||