Merge pull request #13 from julek-wolfssl/1.15.0-update

Update nginx support for wolfSSL master

README.md

@@ -8,6 +8,9 @@ and recompilation is required.
 The tested versions:
  - wolfSSL 3.14
  - wolfSSL 3.13.0 (with patch applied: wolfssl-3.13.0-nginx.patch)
+ - Nginx 1.17.5
+ - Nginx 1.16.1
+ - Nginx 1.15.0
  - Nginx 1.14.0
  - Nginx 1.13.12
  - Nginx 1.13.8
@@ -20,6 +23,7 @@ The tested versions:
  - Nginx 1.11.10
  - Nginx 1.11.7
  - Nginx 1.10.3
+ - Nginx 1.7.7
 
 ### Building
 
@@ -54,7 +58,10 @@ There will be failures of SSL tests for the following reasons:
 
 Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test
 system.
-
+Note: the file ssl_stapling.t.patch can be used to patch the ssl_stapling.t
+file in nginx-tests to work with wolfSSL. The version available in the testing
+repository uses different certs on the same server. This is not supported
+by wolfSSL so this patch moves the certs to separate server instances.
 
 There are additional tests available in wolfssl-nginx. These are in addition
 to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling

conf/cert-ecc-p8.key

@@ -1,5 +1,5 @@
------BEGIN PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRbZpAnOcbIWhOFty
 6OjHrMQDjVM1BPpsKNw0jeGoCYyhRANCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTq
 K/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInY
------END PRIVATE KEY-----
+-----END EC PRIVATE KEY-----

conf/nginx_tls13.conf

@@ -356,6 +356,7 @@ http {
             proxy_ssl_certificate_key      client-key.pem;
             proxy_ssl_verify               on;
             proxy_ssl_crl                  crl.pem;
+            proxy_ssl_protocols            TLSv1.3;
         }
     }
     # Proxy using ECDHE cipher suites and CRL
@@ -383,6 +384,7 @@ http {
             proxy_ssl_certificate_key      client-key.pem;
             proxy_ssl_verify               on;
             proxy_ssl_crl                  crl.pem;
+            proxy_ssl_protocols            TLSv1.3;
         }
     }
     # Proxy using ECDHE and ECDSA cipher suites
@@ -410,6 +412,7 @@ http {
             proxy_ssl_certificate_key      client-key.pem;
             proxy_ssl_verify               on;
             proxy_ssl_session_reuse        on;
+            proxy_ssl_protocols            TLSv1.3;
         }
     }
     # Proxy using complete chain
@@ -437,6 +440,7 @@ http {
             proxy_ssl_certificate_key      client-key.pem;
             proxy_ssl_verify               on;
             proxy_ssl_session_reuse        on;
+            proxy_ssl_protocols            TLSv1.3;
         }
     }
     # Proxy using incomplete chain
@@ -464,6 +468,7 @@ http {
             proxy_ssl_certificate_key      client-key.pem;
             proxy_ssl_verify               on;
             proxy_ssl_session_reuse        on;
+            proxy_ssl_protocols            TLSv1.3;
         }
     }
 
@@ -494,6 +499,7 @@ http {
             proxy_ssl_verify               on;
             proxy_ssl_crl                  crl-revoked.pem;
             proxy_ssl_session_reuse        on;
+            proxy_ssl_protocols            TLSv1.3;
         }
     }
     # OCSP Stapling

nginx-1.15.0-wolfssl.patch

@@ -193,9 +193,20 @@ diff -ur nginx-1.15.0/src/http/modules/ngx_http_ssl_module.c nginx-1.15.0-wolfss
  #define NGX_DEFAULT_ECDH_CURVE  "auto"
  
  #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
-diff -ur nginx-1.15.0/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c
+@@ -766,8 +770,10 @@
---- nginx-1.15.0/src/mail/ngx_mail_ssl_module.c	2018-06-05 23:47:25.000000000 +1000
+         return NGX_CONF_ERROR;
-+++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c	2018-06-14 15:44:59.059897033 +1000
+     }
+ 
++#ifndef WOLFSSL_NGINX
+     ngx_conf_merge_value(conf->builtin_session_cache,
+                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
++#endif
+ 
+     if (conf->shm_zone == NULL) {
+         conf->shm_zone = prev->shm_zone;
+diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c
+--- nginx/src/mail/ngx_mail_ssl_module.c	2019-10-22 13:38:25.369054696 +0200
++++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c	2019-10-22 13:37:13.938265565 +0200
 @@ -10,7 +10,11 @@
  #include <ngx_mail.h>
  

nginx-1.16.1-wolfssl-debug.patch

@@ -0,0 +1,15 @@
+diff -ur nginx/src/event/ngx_event_openssl.c nginx-debug/src/event/ngx_event_openssl.c
+--- nginx/src/event/ngx_event_openssl.c	2019-10-29 17:31:13.468021354 +0100
++++ nginx-debug/src/event/ngx_event_openssl.c	2019-10-29 17:31:06.152106826 +0100
+@@ -164,6 +164,11 @@
+ 
+ #endif
+ 
++#ifdef WOLFSSL_NGINX
++    /* Turn on internal wolfssl debugging to stdout */
++    wolfSSL_Debugging_ON();
++#endif
++
+ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+ #ifndef SSL_OP_NO_COMPRESSION
+     {

nginx-1.16.1-wolfssl.patch

@@ -0,0 +1,302 @@
+diff -ur nginx/auto/lib/openssl/conf nginx-1.16.1-wolfssl/auto/lib/openssl/conf
+--- nginx/auto/lib/openssl/conf	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/auto/lib/openssl/conf	2019-10-28 16:59:15.481019251 +0100
+@@ -62,8 +62,33 @@
+         ngx_feature_path=
+         ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
+         ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
++
++        if [ $WOLFSSL != NONE ]; then
++            ngx_feature="wolfSSL library in $WOLFSSL"
++            ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
++
++            if [ $NGX_RPATH = YES ]; then
++                ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
++            else
++                ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
++            fi
++
++            CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
++            CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
++        fi
++
+         . auto/feature
+ 
++        if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
++cat << END
++
++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
++SSL modules require the wolfSSL library.
++
++END
++            exit 1
++        fi
++
+         if [ $ngx_found = no ]; then
+ 
+             # FreeBSD port
+diff -ur nginx/auto/options nginx-1.16.1-wolfssl/auto/options
+--- nginx/auto/options	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/auto/options	2019-10-28 16:59:15.485019190 +0100
+@@ -147,6 +147,7 @@
+ 
+ USE_OPENSSL=NO
+ OPENSSL=NONE
++WOLFSSL=NONE
+ 
+ USE_ZLIB=NO
+ ZLIB=NONE
+@@ -355,6 +356,7 @@
+         --with-pcre-opt=*)               PCRE_OPT="$value"          ;;
+         --with-pcre-jit)                 PCRE_JIT=YES               ;;
+ 
++        --with-wolfssl=*)                WOLFSSL="$value"           ;;
+         --with-openssl=*)                OPENSSL="$value"           ;;
+         --with-openssl-opt=*)            OPENSSL_OPT="$value"       ;;
+ 
+@@ -579,6 +581,7 @@
+   --with-libatomic                   force libatomic_ops library usage
+   --with-libatomic=DIR               set path to libatomic_ops library sources
+ 
++  --with-wolfssl=DIR                 set path to wolfSSL headers and library
+   --with-openssl=DIR                 set path to OpenSSL library sources
+   --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
+ 
+Only in nginx: .git
+diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c
+--- nginx/src/event/ngx_event_openssl.c	2019-10-28 17:06:07.286673633 +0100
++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c	2019-10-28 16:59:15.485019190 +0100
+@@ -384,6 +384,10 @@
+ 
+     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+ 
++#ifdef WOLFSSL_NGINX
++    SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
++#endif
++
+     return NGX_OK;
+ }
+ 
+@@ -863,6 +867,14 @@
+ 
+ 
+ ngx_int_t
++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
++{
++    SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
++
++    return NGX_OK;
++}
++
++ngx_int_t
+ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
+     ngx_int_t depth)
+ {
+@@ -1370,7 +1382,8 @@
+      * maximum interoperability.
+      */
+ 
+-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \
++    defined(WOLFSSL_NGINX)
+ 
+     /*
+      * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
+@@ -1491,10 +1504,26 @@
+ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
+ {
+     ngx_connection_t  *c;
++#ifdef WOLFSSL_NGINX
++    int len;
++#endif
+ 
+     c = ngx_ssl_get_connection(ssl_conn);
+ 
+     if (c->ssl->save_session) {
++#ifdef WOLFSSL_NGINX
++        len = i2d_SSL_SESSION(sess, NULL);
++
++        /* do not cache too big session */
++        if (len > NGX_SSL_MAX_SESSION_SIZE) {
++            return -1;
++        }
++
++        if (!(sess = SSL_SESSION_dup(sess))) {
++            return -1;
++        }
++#endif
++
+         c->ssl->session = sess;
+ 
+         c->ssl->save_session(c);
+@@ -1566,7 +1595,9 @@
+ {
+ #ifdef TLS1_3_VERSION
+     if (c->ssl->session) {
++    #if !defined(WOLFSSL_NGINX)
+         SSL_SESSION_up_ref(c->ssl->session);
++    #endif
+         return c->ssl->session;
+     }
+ #endif
+@@ -3929,7 +3960,8 @@
+             return -1;
+         }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
++    (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
+         if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
+             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
+             return -1;
+@@ -3973,7 +4005,8 @@
+             size = 32;
+         }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
++    (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
+         if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
+             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
+             return -1;
+diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h
+--- nginx/src/event/ngx_event_openssl.h	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h	2019-10-28 16:59:15.485019190 +0100
+@@ -12,6 +12,10 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ 
++#ifdef WOLFSSL_NGINX
++#include <wolfssl/options.h>
++#include <openssl/pem.h>
++#endif
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ #include <openssl/bn.h>
+@@ -59,7 +63,7 @@
+ #define ngx_ssl_conn_t          SSL
+ 
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
+ #define SSL_is_server(s)        (s)->server
+ #endif
+ 
+@@ -171,6 +175,7 @@
+ 
+ ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
+     ngx_uint_t prefer_server_ciphers);
++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
+ ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+     ngx_str_t *cert, ngx_int_t depth);
+ ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c
+--- nginx/src/event/ngx_event_openssl_stapling.c	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c	2019-10-28 16:59:15.485019190 +0100
+@@ -313,7 +313,9 @@
+     for (i = 0; i < n; i++) {
+         issuer = sk_X509_value(chain, i);
+         if (X509_check_issued(issuer, cert) == X509_V_OK) {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
++#ifdef WOLFSSL_NGINX
++            issuer = X509_dup(issuer);
++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
+             X509_up_ref(issuer);
+ #else
+             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c
+--- nginx/src/http/modules/ngx_http_proxy_module.c	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c	2019-10-28 16:59:15.489019127 +0100
+@@ -4307,6 +4307,8 @@
+             return NGX_ERROR;
+         }
+ 
++        ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
++
+         if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
+                                         &plcf->ssl_trusted_certificate,
+                                         plcf->ssl_verify_depth)
+diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c
+--- nginx/src/http/modules/ngx_http_ssl_module.c	2019-10-28 17:06:07.286673633 +0100
++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c	2019-10-28 16:59:15.489019127 +0100
+@@ -14,7 +14,11 @@
+     ngx_pool_t *pool, ngx_str_t *s);
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "auto"
+ 
+ #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+@@ -810,8 +814,10 @@
+         return NGX_CONF_ERROR;
+     }
+ 
++#ifndef WOLFSSL_NGINX
+     ngx_conf_merge_value(conf->builtin_session_cache,
+                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
++#endif
+ 
+     if (conf->shm_zone == NULL) {
+         conf->shm_zone = prev->shm_zone;
+diff -ur nginx/src/http/ngx_http_request.c nginx-1.16.1-wolfssl/src/http/ngx_http_request.c
+--- nginx/src/http/ngx_http_request.c	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/http/ngx_http_request.c	2019-10-28 16:59:15.485019190 +0100
+@@ -851,6 +851,12 @@
+ 
+ 
+ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++#ifndef SSL_AD_NO_RENEGOTIATION
++#define SSL_AD_NO_RENEGOTIATION     100
++#endif
++#ifndef SSL_AD_INTERNAL_ERROR
++#define SSL_AD_INTERNAL_ERROR       80
++#endif
+ 
+ int
+ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c
+--- nginx/src/mail/ngx_mail_ssl_module.c	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c	2019-10-28 16:59:15.489019127 +0100
+@@ -10,7 +10,11 @@
+ #include <ngx_mail.h>
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "auto"
+ 
+ 
+diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c
+--- nginx/src/stream/ngx_stream_proxy_module.c	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c	2019-10-28 16:59:15.493019066 +0100
+@@ -2131,6 +2131,8 @@
+             return NGX_ERROR;
+         }
+ 
++        ngx_ssl_set_verify_on(cf, pscf->ssl);
++
+         if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
+                                         &pscf->ssl_trusted_certificate,
+                                         pscf->ssl_verify_depth)
+diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c
+--- nginx/src/stream/ngx_stream_ssl_module.c	2019-10-28 17:04:55.111782394 +0100
++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c	2019-10-28 16:59:15.493019066 +0100
+@@ -14,7 +14,11 @@
+     ngx_pool_t *pool, ngx_str_t *s);
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "auto"
+ 
+ 

nginx-1.17.5-wolfssl-debug.patch

@@ -0,0 +1,16 @@
+diff -ur nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c
+--- nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c	2019-11-04 21:29:39.856200843 +0100
++++ nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c	2019-11-04 21:30:29.362010122 +0100
+@@ -165,6 +165,12 @@
+ 
+ #endif
+ 
++#ifdef WOLFSSL_NGINX
++    /* Turn on internal wolfssl debugging to stdout */
++    wolfSSL_Debugging_ON();
++#endif
++
++
+ #ifndef SSL_OP_NO_COMPRESSION
+     {
+     /*

nginx-1.17.5-wolfssl.patch

@@ -0,0 +1,302 @@
+diff -ur nginx/auto/lib/openssl/conf nginx-1.17.5-wolfssl/auto/lib/openssl/conf
+--- nginx/auto/lib/openssl/conf	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/auto/lib/openssl/conf	2019-11-04 21:29:39.848201210 +0100
+@@ -62,8 +62,33 @@
+         ngx_feature_path=
+         ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
+         ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
++
++        if [ $WOLFSSL != NONE ]; then
++            ngx_feature="wolfSSL library in $WOLFSSL"
++            ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
++
++            if [ $NGX_RPATH = YES ]; then
++                ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
++            else
++                ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
++            fi
++
++            CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
++            CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
++        fi
++
+         . auto/feature
+ 
++        if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
++cat << END
++
++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
++SSL modules require the wolfSSL library.
++
++END
++            exit 1
++        fi
++
+         if [ $ngx_found = no ]; then
+ 
+             # FreeBSD port
+diff -ur nginx/auto/options nginx-1.17.5-wolfssl/auto/options
+--- nginx/auto/options	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/auto/options	2019-11-04 21:29:39.848201210 +0100
+@@ -146,6 +146,7 @@
+ 
+ USE_OPENSSL=NO
+ OPENSSL=NONE
++WOLFSSL=NONE
+ 
+ USE_ZLIB=NO
+ ZLIB=NONE
+@@ -354,6 +355,7 @@
+         --with-pcre-opt=*)               PCRE_OPT="$value"          ;;
+         --with-pcre-jit)                 PCRE_JIT=YES               ;;
+ 
++        --with-wolfssl=*)                WOLFSSL="$value"           ;;
+         --with-openssl=*)                OPENSSL="$value"           ;;
+         --with-openssl-opt=*)            OPENSSL_OPT="$value"       ;;
+ 
+@@ -578,6 +580,7 @@
+   --with-libatomic                   force libatomic_ops library usage
+   --with-libatomic=DIR               set path to libatomic_ops library sources
+ 
++  --with-wolfssl=DIR                 set path to wolfSSL headers and library
+   --with-openssl=DIR                 set path to OpenSSL library sources
+   --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
+ 
+Only in nginx: .git
+diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c
+--- nginx/src/event/ngx_event_openssl.c	2019-11-04 21:30:50.297130417 +0100
++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c	2019-11-04 21:29:39.856200843 +0100
+@@ -383,6 +383,10 @@
+ 
+     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+ 
++#ifdef WOLFSSL_NGINX
++    SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
++#endif
++
+     return NGX_OK;
+ }
+ 
+@@ -862,6 +866,14 @@
+ 
+ 
+ ngx_int_t
++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
++{
++    SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
++
++    return NGX_OK;
++}
++
++ngx_int_t
+ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
+     ngx_int_t depth)
+ {
+@@ -1361,7 +1373,8 @@
+      * maximum interoperability.
+      */
+ 
+-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \
++    defined(WOLFSSL_NGINX)
+ 
+     /*
+      * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
+@@ -1481,10 +1494,26 @@
+ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
+ {
+     ngx_connection_t  *c;
++#ifdef WOLFSSL_NGINX
++    int len;
++#endif
+ 
+     c = ngx_ssl_get_connection(ssl_conn);
+ 
+     if (c->ssl->save_session) {
++#ifdef WOLFSSL_NGINX
++        len = i2d_SSL_SESSION(sess, NULL);
++
++        /* do not cache too big session */
++        if (len > NGX_SSL_MAX_SESSION_SIZE) {
++            return -1;
++        }
++
++        if (!(sess = SSL_SESSION_dup(sess))) {
++            return -1;
++        }
++#endif
++
+         c->ssl->session = sess;
+ 
+         c->ssl->save_session(c);
+@@ -1556,7 +1585,9 @@
+ {
+ #ifdef TLS1_3_VERSION
+     if (c->ssl->session) {
++    #if !defined(WOLFSSL_NGINX)
+         SSL_SESSION_up_ref(c->ssl->session);
++    #endif
+         return c->ssl->session;
+     }
+ #endif
+@@ -3972,7 +4003,8 @@
+             return -1;
+         }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
++    (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
+         if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
+             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
+             return -1;
+@@ -4016,7 +4048,8 @@
+             size = 32;
+         }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
++    (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
+         if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
+             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
+             return -1;
+diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h
+--- nginx/src/event/ngx_event_openssl.h	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h	2019-11-04 21:29:39.856200843 +0100
+@@ -12,6 +12,10 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ 
++#ifdef WOLFSSL_NGINX
++#include <wolfssl/options.h>
++#include <openssl/pem.h>
++#endif
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ #include <openssl/bn.h>
+@@ -59,7 +63,7 @@
+ #define ngx_ssl_conn_t          SSL
+ 
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
+ #define SSL_is_server(s)        (s)->server
+ #endif
+ 
+@@ -172,6 +176,7 @@
+ 
+ ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
+     ngx_uint_t prefer_server_ciphers);
++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
+ ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+     ngx_str_t *cert, ngx_int_t depth);
+ ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c
+--- nginx/src/event/ngx_event_openssl_stapling.c	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c	2019-11-04 21:29:39.856200843 +0100
+@@ -313,7 +313,9 @@
+     for (i = 0; i < n; i++) {
+         issuer = sk_X509_value(chain, i);
+         if (X509_check_issued(issuer, cert) == X509_V_OK) {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
++#ifdef WOLFSSL_NGINX
++            issuer = X509_dup(issuer);
++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
+             X509_up_ref(issuer);
+ #else
+             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c
+--- nginx/src/http/modules/ngx_http_proxy_module.c	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c	2019-11-04 21:29:39.856200843 +0100
+@@ -4307,6 +4307,8 @@
+             return NGX_ERROR;
+         }
+ 
++        ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
++
+         if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
+                                         &plcf->ssl_trusted_certificate,
+                                         plcf->ssl_verify_depth)
+diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c
+--- nginx/src/http/modules/ngx_http_ssl_module.c	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c	2019-11-04 21:29:39.856200843 +0100
+@@ -14,7 +14,11 @@
+     ngx_pool_t *pool, ngx_str_t *s);
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "auto"
+ 
+ #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+@@ -810,8 +814,10 @@
+         return NGX_CONF_ERROR;
+     }
+ 
++#ifndef WOLFSSL_NGINX
+     ngx_conf_merge_value(conf->builtin_session_cache,
+                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
++#endif
+ 
+     if (conf->shm_zone == NULL) {
+         conf->shm_zone = prev->shm_zone;
+diff -ur nginx/src/http/ngx_http_request.c nginx-1.17.5-wolfssl/src/http/ngx_http_request.c
+--- nginx/src/http/ngx_http_request.c	2019-11-04 21:30:50.297130417 +0100
++++ nginx-1.17.5-wolfssl/src/http/ngx_http_request.c	2019-11-04 21:29:39.856200843 +0100
+@@ -851,6 +851,12 @@
+ 
+ 
+ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++#ifndef SSL_AD_NO_RENEGOTIATION
++#define SSL_AD_NO_RENEGOTIATION     100
++#endif
++#ifndef SSL_AD_INTERNAL_ERROR
++#define SSL_AD_INTERNAL_ERROR       80
++#endif
+ 
+ int
+ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c
+--- nginx/src/mail/ngx_mail_ssl_module.c	2019-11-04 21:30:50.297130417 +0100
++++ nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c	2019-11-04 21:29:39.860200659 +0100
+@@ -10,7 +10,11 @@
+ #include <ngx_mail.h>
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "auto"
+ 
+ 
+diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c
+--- nginx/src/stream/ngx_stream_proxy_module.c	2019-11-04 21:30:50.297130417 +0100
++++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c	2019-11-04 21:29:39.864200476 +0100
+@@ -2136,6 +2136,8 @@
+             return NGX_ERROR;
+         }
+ 
++        ngx_ssl_set_verify_on(cf, pscf->ssl);
++
+         if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
+                                         &pscf->ssl_trusted_certificate,
+                                         pscf->ssl_verify_depth)
+diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c
+--- nginx/src/stream/ngx_stream_ssl_module.c	2019-11-04 21:30:50.293130582 +0100
++++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c	2019-11-04 21:29:39.864200476 +0100
+@@ -14,7 +14,11 @@
+     ngx_pool_t *pool, ngx_str_t *s);
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "auto"
+ 
+ 

nginx-1.7.7-wolfssl-debug.patch

@@ -0,0 +1,17 @@
+diff --git a/src/core/nginx.c b/src/core/nginx.c
+index c75ee4fd..e7b49f0b 100644
+--- a/src/core/nginx.c
++++ b/src/core/nginx.c
+@@ -206,6 +206,11 @@ main(int argc, char *const *argv)
+     ngx_cycle_t      *cycle, init_cycle;
+     ngx_core_conf_t  *ccf;
+ 
++
++#ifdef WOLFSSL_NGINX
++    (void)wolfSSL_Debugging_ON();
++#endif
++
+     ngx_debug_init();
+ 
+     if (ngx_strerror_init() != NGX_OK) {
+

nginx-1.7.7-wolfssl.patch

@@ -0,0 +1,322 @@
+From 9a58b2ddaa713b312a9d14d6dd563d1df14c8231 Mon Sep 17 00:00:00 2001
+From: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Date: Tue, 1 Dec 2020 13:41:20 +0100
+Subject: [PATCH] wolfSSL Patch for Nginx 1.7.7
+
+Build instructions:
+- Build wolfSSL (run in wolfSSL directory):
+`./configure --enable-nginx`
+`make`
+`make install`
+The default installation directory is `/usr/local`.
+- Build Nginx (run in Nginx directory):
+  - Apply patch:
+`patch -p1 < nginx-1.7.7-wolfssl.patch`
+  - Compile Nginx (some warnings need to be disabled):
+`./configure --with-wolfssl=/usr/local --with-http_ssl_module --with-cc-opt='-Wimplicit-fallthrough=0 -Wno-cast-function-type'`
+`make`
+
+Port nginx 1.7.7 to wolfSSL:
+- `auto/lib/openssl/conf`: Detect wolfSSL library and setup compilation options
+- `auto/options`: Add wolfSSL configure option
+- `src/core/nginx.c`: Enable debugging if wolfSSL is compiled with `--enable-debug`
+- `src/event/ngx_event_openssl.c`:
+  - Nginx wants the SSL library to not do any certificate verification by default
+  - No need to disble renegotiation since wolfSSL has it disabled by default
+  - Fix TLS tickets callback to return correct values
+  - Ignore undefined handshake failure codes
+- `src/event/ngx_event_openssl.h`: Include wolfSSL options file
+- `src/event/ngx_event_openssl_stapling.c`: Use `wolfSSL_X509_up_ref` to increment issuer certificate reference counter
+- `src/http/modules/ngx_http_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers
+- `src/http/ngx_http_upstream.c`: Correct type mismatch
+- `src/mail/ngx_mail_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers
+- `src/os/unix/ngx_user.c`: `current_salt` not part of `struct crypt_data` in recent glibc version
+
+nginx-tests remarks:
+- All tests in nginx-tests should pass. Some tests test reusing a session but fail on my machine. Manually setting up the server and connecting through Firefox correctly re-uses the session suggesting that the issue is on the client side not the server. I assume that this is an error in my version of Perl (which is the client in the nginx-tests).
+- When running nginx-tests with TLS 1.3 then session resumption tests will fail since the tests are not configured for SSL tickets. I tested session reuse manually with Firefox and confirmed that they work.
+- nginx 1.7.7 does not do session reuse with TLS 1.3 (when acting as a proxy) because it calls SSL_get1_session too soon.
+---
+ auto/lib/openssl/conf                  | 35 ++++++++++++++++++++++----
+ auto/options                           |  3 +++
+ src/core/nginx.c                       |  5 ++++
+ src/event/ngx_event_openssl.c          | 17 +++++++++++--
+ src/event/ngx_event_openssl.h          |  3 +++
+ src/event/ngx_event_openssl_stapling.c |  8 ++++++
+ src/http/modules/ngx_http_ssl_module.c |  4 +++
+ src/http/ngx_http_upstream.c           |  7 +++++-
+ src/mail/ngx_mail_ssl_module.c         |  4 +++
+ src/os/unix/ngx_user.c                 |  2 ++
+ 10 files changed, 80 insertions(+), 8 deletions(-)
+
+diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
+index a65815f6..0796e3ab 100644
+--- a/auto/lib/openssl/conf
++++ b/auto/lib/openssl/conf
+@@ -49,11 +49,38 @@ else
+         ngx_feature="OpenSSL library"
+         ngx_feature_name="NGX_OPENSSL"
+         ngx_feature_run=no
+-        ngx_feature_incs="#include <openssl/ssl.h>"
++        ngx_feature_incs="#include <options.h>
++                          #include <openssl/ssl.h>"
+         ngx_feature_path=
+         ngx_feature_libs="-lssl -lcrypto"
+         ngx_feature_test="SSL_library_init()"
++        
++        if [ $WOLFSSL != NONE ]; then
++            ngx_feature="wolfSSL library in $WOLFSSL"
++            ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
++
++            if [ $NGX_RPATH = YES ]; then
++                ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL"
++            else
++                ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL"
++            fi
++
++            CORE_INCS="$CORE_INCS $ngx_feature_path"
++            CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
++        fi
++        
+         . auto/feature
++        
++        if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
++cat << END
++
++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
++SSL modules require the wolfSSL library.
++
++END
++            exit 1
++        fi
++        
+ 
+         if [ $ngx_found = yes ]; then
+             have=NGX_SSL . auto/have
+@@ -66,10 +93,8 @@ else
+ 
+ cat << END
+ 
+-$0: error: SSL modules require the OpenSSL library.
+-You can either do not enable the modules, or install the OpenSSL library
+-into the system, or build the OpenSSL library statically from the source
+-with nginx by using --with-openssl=<path> option.
++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
++SSL modules require the wolfSSL library.
+ 
+ END
+         exit 1
+diff --git a/auto/options b/auto/options
+index 0d296ac6..7688cad7 100644
+--- a/auto/options
++++ b/auto/options
+@@ -121,6 +121,7 @@ PCRE_OPT=
+ PCRE_CONF_OPT=
+ PCRE_JIT=NO
+ 
++WOLFSSL=NONE
+ USE_OPENSSL=NO
+ OPENSSL=NONE
+ 
+@@ -292,6 +293,7 @@ use the \"--without-http_limit_conn_module\" option instead"
+         --with-pcre-opt=*)               PCRE_OPT="$value"          ;;
+         --with-pcre-jit)                 PCRE_JIT=YES               ;;
+ 
++        --with-wolfssl=*)                WOLFSSL="$value"           ;;
+         --with-openssl=*)                OPENSSL="$value"           ;;
+         --with-openssl-opt=*)            OPENSSL_OPT="$value"       ;;
+ 
+@@ -469,6 +471,7 @@ cat << END
+ 
+   --with-openssl=DIR                 set path to OpenSSL library sources
+   --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
++  --with-wolfssl=DIR                 set path to wolfSSL library
+ 
+   --with-debug                       enable debug logging
+ 
+diff --git a/src/core/nginx.c b/src/core/nginx.c
+index c75ee4fd..e7b49f0b 100644
+--- a/src/core/nginx.c
++++ b/src/core/nginx.c
+@@ -206,6 +206,11 @@ main(int argc, char *const *argv)
+     ngx_cycle_t      *cycle, init_cycle;
+     ngx_core_conf_t  *ccf;
+ 
++
++#ifdef WOLFSSL_NGINX
++    (void)wolfSSL_Debugging_ON();
++#endif
++
+     ngx_debug_init();
+ 
+     if (ngx_strerror_init() != NGX_OK) {
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index f3456527..065ec5af 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -204,6 +204,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+         return NGX_ERROR;
+     }
+ 
++#ifdef WOLFSSL_NGINX
++    /* nginx expects that the SSL library doesn't verify certs by default */
++    SSL_CTX_set_verify(ssl->ctx, WOLFSSL_VERIFY_NONE, NULL);
++#endif
++
+     ssl->buffer_size = NGX_SSL_BUFSIZE;
+ 
+     /* client side options */
+@@ -1096,10 +1101,13 @@ ngx_ssl_handshake(ngx_connection_t *c)
+         c->recv_chain = ngx_ssl_recv_chain;
+         c->send_chain = ngx_ssl_send_chain;
+ 
++        /* wolfSSL has renegotiation disabled by default */
++#ifndef WOLFSSL_NGINX
+         /* initial handshake done, disable renegotiation (CVE-2009-3555) */
+         if (c->ssl->connection->s3) {
+             c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+         }
++#endif
+ 
+         return NGX_OK;
+     }
+@@ -1844,7 +1852,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
+             || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              /*  151 */
+             || n == SSL_R_EXCESSIVE_MESSAGE_SIZE                     /*  152 */
+             || n == SSL_R_LENGTH_MISMATCH                            /*  159 */
++#ifndef WOLFSSL_NGINX
+             || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
++#endif
+             || n == SSL_R_NO_CIPHERS_SPECIFIED                       /*  183 */
+             || n == SSL_R_NO_COMPRESSION_SPECIFIED                   /*  187 */
+             || n == SSL_R_NO_SHARED_CIPHER                           /*  193 */
+@@ -1869,6 +1879,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
+ #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
+             || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING           /*  345 */
+ #endif
++#ifndef WOLFSSL_NGINX
+             || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
+             || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE             /* 1010 */
+             || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 /* 1020 */
+@@ -1892,7 +1903,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
+             || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          /* 1071 */
+             || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 /* 1080 */
+             || n == SSL_R_TLSV1_ALERT_USER_CANCELLED                 /* 1090 */
+-            || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION)              /* 1100 */
++            || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION              /* 1100 */
++#endif
++            )
+         {
+             switch (c->log_error) {
+ 
+@@ -2798,7 +2811,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
+                      ngx_ssl_session_ticket_md(), NULL);
+         ngx_memcpy(name, key[0].name, 16);
+ 
+-        return 0;
++        return 1;
+ 
+     } else {
+         /* decrypt session ticket */
+diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
+index 08eff644..e39cce3d 100644
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -12,6 +12,9 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ 
++#ifdef WOLFSSL_NGINX
++#include <wolfssl/options.h>
++#endif
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ #include <openssl/bn.h>
+diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
+index 2fa06730..afdbab3f 100644
+--- a/src/event/ngx_event_openssl_stapling.c
++++ b/src/event/ngx_event_openssl_stapling.c
+@@ -281,7 +281,15 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
+     for (i = 0; i < n; i++) {
+         issuer = sk_X509_value(chain, i);
+         if (X509_check_issued(issuer, cert) == X509_V_OK) {
++#ifndef WOLFSSL_NGINX
+             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
++#else
++            if (wolfSSL_X509_up_ref(issuer) != 1) {
++                ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
++                              "wolfSSL_X509_up_ref() failed");
++                return NGX_ERROR;
++            }
++#endif
+ 
+             ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
+                            "SSL get issuer: found %p in extra certs", issuer);
+diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
+index 4c69091d..5a78efcb 100644
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
+     ngx_pool_t *pool, ngx_str_t *s);
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"
+ 
+ #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index 3e8ce09e..ef80c9ba 100644
+--- a/src/http/ngx_http_upstream.c
++++ b/src/http/ngx_http_upstream.c
+@@ -1566,7 +1566,12 @@ ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u,
+     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                    "upstream SSL server name: \"%s\"", name.data);
+ 
+-    if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
++#ifdef WOLFSSL_NGINX
++    if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0)
++#else
++    if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0)
++#endif
++    {
+         ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
+                       "SSL_set_tlsext_host_name(\"%s\") failed", name.data);
+         return NGX_ERROR;
+diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
+index f864d991..f43b1ebd 100644
+--- a/src/mail/ngx_mail_ssl_module.c
++++ b/src/mail/ngx_mail_ssl_module.c
+@@ -10,7 +10,11 @@
+ #include <ngx_mail.h>
+ 
+ 
++#ifndef WOLFSSL_NGINX
+ #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
++#else
++#define NGX_DEFAULT_CIPHERS     "ALL"
++#endif
+ #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"
+ 
+ 
+diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
+index 7a71203c..816d5216 100644
+--- a/src/os/unix/ngx_user.c
++++ b/src/os/unix/ngx_user.c
+@@ -31,8 +31,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
+     struct crypt_data   cd;
+ 
+     cd.initialized = 0;
++#if defined(__GLIBC__) && !defined(CRYPT_DATA_INTERNAL_SIZE)
+     /* work around the glibc bug */
+     cd.current_salt[0] = ~salt[0];
++#endif
+ 
+     value = crypt_r((char *) key, (char *) salt, &cd);
+ 
+-- 
+2.25.1
+

ssl_stapling.t.patch

@@ -0,0 +1,117 @@
+commit 76a0d0fe158ba0bc2d9a71ef3bd8ff52949a10a1
+Author: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Date:   Thu Oct 24 11:45:49 2019 +0200
+
+    different ports for different certs
+
+diff --git a/ssl_stapling.t b/ssl_stapling.t
+index d5b8ff3..ee57012 100644
+--- a/ssl_stapling.t
++++ b/ssl_stapling.t
+@@ -53,18 +53,21 @@ http {
+     ssl_stapling on;
+     ssl_trusted_certificate trusted.crt;
+ 
+-    ssl_certificate ec-end-int.crt;
+-    ssl_certificate_key ec-end.key;
+-
+-    ssl_certificate end-int.crt;
+-    ssl_certificate_key end.key;
+-
+     ssl_ciphers DEFAULT:ECCdraft;
+ 
+     server {
+         listen       127.0.0.1:8443 ssl;
+         listen       127.0.0.1:8080;
+         server_name  localhost;
++    ssl_certificate end-int.crt;
++    ssl_certificate_key end.key;
++    }
++    server {
++        listen       127.0.0.1:8453 ssl;
++        listen       127.0.0.1:8090;
++        server_name  localhost;
++    ssl_certificate ec-end-int.crt;
++    ssl_certificate_key ec-end.key;
+     }
+ 
+     server {
+@@ -72,6 +75,17 @@ http {
+         server_name  localhost;
+ 
+         ssl_stapling_responder http://127.0.0.1:8081/;
++    ssl_certificate end-int.crt;
++    ssl_certificate_key end.key;
++    }
++
++    server {
++        listen       127.0.0.1:8454 ssl;
++        server_name  localhost;
++
++        ssl_stapling_responder http://127.0.0.1:8081/;
++    ssl_certificate ec-end-int.crt;
++    ssl_certificate_key ec-end.key;
+     }
+ 
+     server {
+@@ -79,6 +93,8 @@ http {
+         server_name  localhost;
+ 
+         ssl_stapling_verify on;
++    ssl_certificate ec-end-int.crt;
++    ssl_certificate_key ec-end.key;
+     }
+ 
+     server {
+@@ -87,6 +103,8 @@ http {
+ 
+         ssl_certificate ec-end.crt;
+         ssl_certificate_key ec-end.key;
++    ssl_certificate ec-end-int.crt;
++    ssl_certificate_key ec-end.key;
+     }
+ 
+     server {
+@@ -97,6 +115,8 @@ http {
+         ssl_certificate_key end.key;
+ 
+         ssl_stapling_file %%TESTDIR%%/resp.der;
++    ssl_certificate end-int.crt;
++    ssl_certificate_key end.key;
+     }
+ 
+     server {
+@@ -114,6 +134,8 @@ http {
+         server_name  localhost;
+ 
+         ssl_stapling_responder http://127.0.0.1:8080/;
++    ssl_certificate ec-end-int.crt;
++    ssl_certificate_key ec-end.key;
+     }
+ }
+ 
+@@ -249,9 +271,9 @@ $t->waitforsocket("127.0.0.1:" . port(8081));
+ my $version = get_version();
+ 
+ staple(8443, 'RSA');
+-staple(8443, 'ECDSA');
++staple(8453, 'ECDSA');
+ staple(8444, 'RSA');
+-staple(8444, 'ECDSA');
++staple(8454, 'ECDSA');
+ staple(8445, 'ECDSA');
+ staple(8446, 'ECDSA');
+ staple(8449, 'ECDSA');
+@@ -259,10 +281,10 @@ staple(8449, 'ECDSA');
+ sleep 1;
+ 
+ ok(!staple(8443, 'RSA'), 'staple revoked');
+-ok(staple(8443, 'ECDSA'), 'staple success');
++ok(staple(8453, 'ECDSA'), 'staple success');
+ 
+ ok(!staple(8444, 'RSA'), 'responder revoked');
+-ok(staple(8444, 'ECDSA'), 'responder success');
++ok(staple(8454, 'ECDSA'), 'responder success');
+ 
+ ok(!staple(8445, 'ECDSA'), 'verify - root not trusted');
+ 

test.sh

@@ -219,7 +219,7 @@ echo '#'
 PORT=11443
 echo "# Port: $PORT"
 OPTS=
-EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
+EXPECT=("2048" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
 client_test
 # Default certificate, DH, verify client
 echo