Merge pull request fooinha#10 from fooinha/patch/openssl-extensions

nginx-ssl-ja3: patch openssl

Author: fooinha

.travis.yml

@@ -32,13 +32,13 @@ install:
 
 script:
   - cd openssl
+  - git checkout OpenSSL_1_1_1 -b patched
+  - patch -p1 < ../patches/openssl.extensions.patch
   - ./config -d
-  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
-  - sudo make install > build.log 2>&1 || (cat build.log && exit 1)
-  - cd ..
-  - cp -v patches/latest.patch nginx/.
-  - cd nginx
-  - patch -p1 < latest.patch
+  - make -j$JOBS 2>&1 > build.log || (cat build.log && exit 1)
+  - sudo make install 2>&1 > build.log || (cat build.log && exit 1)
+  - cd ../nginx
+  - patch -p1 < ../patches/nginx.latest.patch
   - auto/configure --with-debug --with-stream --with-ld-opt="-Wl,-E -L /usr/local/lib" --prefix=$NGINX_PREFIX  --with-http_ssl_module --with-stream_ssl_module --add-module=.. > build.log 2>&1 || (cat build.log && exit 1)
   - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make install > build.log 2>&1 || (cat build.log && exit 1)

README.md

@@ -85,7 +85,8 @@ the patch is already applied. Check the Dockerfile of the dev image.
 
 ### Patches
 
- - [save Client Hello extensions at nginx's SSL connection](patches/latest.patch)
+ - [nginx - save client hello extensions](patches/nginx.latest.patch)
+ - [openssl - more tls extensions](patches/openssl.extensions.patch)
 
 
 ### Compilation and installation
@@ -94,9 +95,17 @@ Build as a common nginx module.
 
 ```bash
 
+# Hack/patch openssl - to include more common extensions
+
+$ patch  -p1 < /build/nginx-ssl-ja3/patches/openssl.extensions.patch
+
+patching file include/openssl/tls1.h
+patching file ssl/statem/extensions.c
+
+
 # Hack/patch nginx
 
-$ patch -p1 < /build/ngx_ssl_ja3/patches/latest.patch
+$ patch -p1 < /build/ngx_ssl_ja3/patches/nginx.latest.patch
 
 patching file src/event/ngx_event_openssl.c
 Hunk #1 succeeded at 1358 (offset 137 lines).

docker/debian-nginx-ssl-ja3/Dockerfile

@@ -64,6 +64,10 @@ RUN git clone https://github.com/openssl/openssl
 
 # Build and install openssl
 WORKDIR /build/openssl
+
+RUN git checkout OpenSSL_1_1_1 -b patched
+COPY patches/openssl.extensions.patch /build/openssl
+RUN patch -p1 < openssl.extensions.patch
 RUN ./config -d
 RUN make
 RUN make install
@@ -74,8 +78,8 @@ RUN hg clone http://hg.nginx.org/nginx
 
 # Patch nginx for fetching ssl client extensions
 WORKDIR /build/nginx
-COPY patches/latest.patch /build/nginx
-RUN patch -p1 < latest.patch
+COPY patches/nginx.latest.patch /build/nginx
+RUN patch -p1 < nginx.latest.patch
 
 # Install files
 RUN mkdir -p /usr/local/nginx/conf/

patches/latest.patch renamed to patches/nginx.latest.patch

@@ -0,0 +1,42 @@
+diff -r -u openssl.orig/include/openssl/tls1.h openssl/include/openssl/tls1.h
+--- openssl.orig/include/openssl/tls1.h	2019-02-12 23:44:30.004081000 +0000
++++ openssl/include/openssl/tls1.h	2019-02-12 23:51:42.213326000 +0000
+@@ -133,6 +133,11 @@
+ /* ExtensionType value from RFC7627 */
+ # define TLSEXT_TYPE_extended_master_secret      23
+ 
++/* [draft-ietf-tls-certificate-compression] */
++# define TLSEXT_TYPE_compress_certificate        27
++/* ExtensionType value from RFC8449 */
++# define TLSEXT_TYPE_record_size_limit           28
++
+ /* ExtensionType value from RFC4507 */
+ # define TLSEXT_TYPE_session_ticket              35
+ 
+Only in openssl/ssl/statem: .extensions.c.swp
+diff -r -u openssl.orig/ssl/statem/extensions.c openssl/ssl/statem/extensions.c
+--- openssl.orig/ssl/statem/extensions.c	2019-02-12 23:48:29.687608000 +0000
++++ openssl/ssl/statem/extensions.c	2019-02-12 23:45:46.161153000 +0000
+@@ -374,6 +374,22 @@
+         tls_construct_certificate_authorities, NULL,
+     },
+     {
++        TLSEXT_TYPE_compress_certificate,
++        SSL_EXT_CLIENT_HELLO,
++        NULL,
++        NULL, NULL,
++        NULL,
++        NULL, NULL,
++    },
++    {
++        TLSEXT_TYPE_record_size_limit,
++        SSL_EXT_CLIENT_HELLO,
++        NULL,
++        NULL, NULL,
++        NULL,
++        NULL, NULL,
++    },
++    {
+         /* Must be immediately before pre_shared_key */
+         TLSEXT_TYPE_padding,
+         SSL_EXT_CLIENT_HELLO,