Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


OpenSSL Patch

This file is not an official OpenSSL patch. Problems can arise and this is your responsibility.

Original Sources


Displays TLSv1.3 support for large sites.

Default support is in bold type.

Compatible OpenSSL-3.0.0-dev (OpenSSL, 25375 commits)

Compatible OpenSSL-3.0.0-dev-revert (OpenSSL, 25746 commits)

Patch files

The equal preference patch(openssl-equal-x) already includes the tls13_draft patch and the tls13_nginx_config(_ciphers file only) patch. Therefore, you do not need to patch it together.

You can find the OpenSSL 1.1.0h patch is here.

Here is the basic patch content.

  • BoringSSL's Equal Preference Patch
  • Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
Patch file name Patch list
Support final (TLS 1.3), TLS 1.3 cipher settings can not be changed on nginx.
Support final (TLS 1.3), TLS 1.3 cipher settings can be changed on nginx.
A draft version of chacha20-poly1305 is available. View issue
openssl-1.1.1a-tls13_draft.patch Only for TLS 1.3 draft 23, 26, 28, final support patch.
openssl-1.1.1a-tls13_nginx_config.patch You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128
openssl-1.1.1c-prioritize_chacha_draft.patch Priority applied patch for CHACHA20 and CHACHA20-DRAFT. View Pull Request
openssl-3.0.0-session_tls13.patch For TLS 1.2 and below, the existing session timeout value is written. For TLS 1.3, 172800 (2 days) is fixed.
openssl-3.0.0-dev_version_error.patch TEST This is a way to fix nginx when the following errors occur during the build:
Error: missing binary operator before token "("
Maybe patched: openssl/openssl#7839
Patched :
openssl-3.0.0-dev_revert.patch TEST This file will revert the patch to use the old OpenSSL API. (This is an unsafe temporary measure.)
TEST These patches should be used after patching the openssl-3.0.0-dev_revert.patch file first.

The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.

Example of setting TLS 1.3 cipher in nginx:

Example Ciphers
Fullname Cipher TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
TLS 1.3 + 1.2 ciphers TLS13+AESGCM+AES128:EECDH+AES128

Not OpenSSL patch files

Patch file name Patch list
nginx_hpack_push.patch Patch both the HPACK patch and the PUSH ERROR.
nginx_hpack_push_fix.patch Patch only the PUSH ERROR of the hpack patch. (If the HPACK patch has already been completed)
remove_nginx_server_header.patch Remove nginx server header. (http2, http1.1)
nginx_hpack_remove_server_header_1.15.3.patch HPACK + Remove nginx server header. (http2, http1.1)
nginx_strict-sni.patch Enable Strict-SNI. Thanks @JemmyLoveJenny. View issue
nginx_openssl-1.1.x_renegotiation_bugfix.patch Bugfix Secure Client-Initiated Renegotiation. (Check OpenSSL >= 1.1.x, nginx = 1.15.4
Patched nginx 1.15.5 Some of the parts that can not get OCSP Stapling value at nginx start or reload are solved.
OCSP stapling in nginx is made up of a callback, so you only need to connect at least once to get the value.
This file is a temporary file and may not work normally.
nginx_io_uring.patch Add io_uring support patch. Thanks @CarterLi. View how to install

How To Use?

OpenSSL Patch

git clone
git clone
cd openssl
patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch

And then use --with-openssl in nginx or build after ./config.


Thanks @JemmyLoveJenny!

View issue / Original Source

git clone
git clone
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch

nginx HPACK Patch

Run it from the nginx directory.

If you have a PUSH patch, use it as follows.

curl | patch -p1

If you did not patch PUSH, use it as follows.

curl | patch -p1

And then check the nginx configuration below.

nginx Remove Server Header Patch

Run it from the nginx directory.

curl | patch -p1

nginx strict-sni patch

Run it from the nginx directory.

curl | patch -p1

This is a condition for using strict sni. View issue.

  • How to use nginx strict-sni?
    • ONLY USE IN http { }
    • strict_sni : nginx strict-sni ON/OFF toggle option.
    • strict_sni_header : if you do not want to respond to invalid headers. (only with strict_sni)
    • Strict SNI requires at least two ssl server (fake) settings (server { listen 443 ssl }).
    • It does not matter what kind of certificate or duplicate.
    • (>1.15.10) If no SNI is required, print the certificate without applying strict-SNI.

Thanks @JemmyLoveJenny, @NewBugger!

nginx OpenSSL-1.1.x Renegotiation Bugfix

It has already been patched by nginx >= 1.15.4.

Run it from the nginx directory.

curl | patch -p1

io_uring Patch

View this link.

nginx Configuration


Add configure arguments : --with-http_v2_hpack_enc

SSL Setting

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers [Copy it from below and paste it here.];
ssl_ecdh_curve X25519:P-256:P-384;
ssl_prefer_server_ciphers on;

OpenSSL-1.1.1a, 3.0.0-dev ciphers


OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers



nginx ocsp shell

The configuration file recognizes the *.conf file in /etc/nginx.

Precedence settings in nginx.conf are as follows:

worker_processes 1 - If this number is high, the remaining worker processes do not have OCSP Stapling values.

After reload or restart, execute the corresponding shell. That's it!

I tried to edit nginx, but I have not found a good way yet. :(


No releases published


No packages published