boring-nginx: remove TLS 1.3 patch (not updated), nginx 1.11.10

2025-04-20 04:19:18 +00:00 · 2017-02-15 17:42:39 +01:00 · 2017-02-15 17:42:39 +01:00 · db82d0ee39
commit db82d0ee39
parent 72f7575f5d
2 changed files with 2 additions and 64 deletions
--- a/boring-nginx/Dockerfile
+++ b/boring-nginx/Dockerfile
@ -2,12 +2,10 @@ FROM alpine:edge
 ENV UID=991 GID=991
-ARG NGINX_VERSION=1.11.9
+ARG NGINX_VERSION=1.11.10
 ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8"
 ARG BUILD_CORES
 COPY tls1.3.patch /tmp/tls1.3.patch
 RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
 && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && BUILD_DEPS=" \
@ -25,7 +23,7 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a
    gnupg \
    cmake \
    go" \
- && apk -U add \
+ && apk -U upgrade && apk add \
    ${BUILD_DEPS} \
    pcre \
    zlib \
@ -43,7 +41,6 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a
 && git clone https://boringssl.googlesource.com/boringssl --depth=1 \
 && cd /tmp/ngx_brotli && git submodule update --init \
 && cd /tmp/boringssl \
 && patch -p1 < /tmp/tls1.3.patch \
 && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \
 && make -j ${NB_CORES} && cd .. \
 && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \
--- a/boring-nginx/tls1.3.patch
+++ b/boring-nginx/tls1.3.patch
@ -1,59 +0,0 @@
 From 36e2f3cf8e8a2f41b7ec1d7040d589974bfad93e Mon Sep 17 00:00:00 2001
 From: Steven Valdez <svaldez@google.com>
 Date: Thu, 13 Oct 2016 14:33:35 -0400
 Subject: [PATCH] Enabling TLS 1.3 (DRAFT).
 Change-Id: I2e4f0db3b8630f990911c8e104f60c048bb7450d
 ---
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
 index 3b14411..802ed2f 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
@@ -187,7 +187,7 @@
    * TODO(davidben): Move this field into |s3|, have it store the normalized
    * protocol version, and implement this pre-negotiation quirk in |SSL_version|
    * at the API boundary rather than in internal state. */
 -  ssl->version = TLS1_2_VERSION;
 +  ssl->version = TLS1_3_VERSION;
   return 1;
 }
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
 index 89d6f15..9c5afae 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
@@ -999,10 +999,6 @@
                            uint16_t version) {
   if (version == 0) {
     *out = method->max_version;
 -    /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
 -    if (*out > TLS1_2_VERSION) {
 -      *out = TLS1_2_VERSION;
 -    }
     return 1;
   }
 diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
 index b74e51e..e8d1847 100644
 --- a/ssl/ssl_test.cc
 +++ b/ssl/ssl_test.cc
@@ -2541,7 +2541,7 @@
   }
   if (ctx->min_version != SSL3_VERSION ||
 -      ctx->max_version != TLS1_2_VERSION) {
 +      ctx->max_version != TLS1_3_VERSION) {
     fprintf(stderr, "Default TLS versions were incorrect (%04x and %04x).\n",
             ctx->min_version, ctx->max_version);
     return false;
@@ -2778,8 +2778,7 @@
       !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
       !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
       !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
 -      // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
 -      !TestDefaultVersion(SSL3_VERSION, TLS1_2_VERSION, &TLS_method) ||
 +      !TestDefaultVersion(SSL3_VERSION, TLS1_3_VERSION, &TLS_method) ||
       !TestDefaultVersion(SSL3_VERSION, SSL3_VERSION, &SSLv3_method) ||
       !TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) ||
       !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) ||