From ea8729e93f7e886af251b12a7e91681c6242d163 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 11:29:17 +0300 Subject: [PATCH 1/6] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- .env | 2 +- README.md | 1 + example.conf | 12 ++++++++++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.env b/.env index 2c8590d..66c9657 100644 --- a/.env +++ b/.env @@ -1,6 +1,6 @@ BASE_VERSION=3.23.3 BASE_HASH=25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 -OPENSSL_VERSION=3.6.1 +OPENSSL_VERSION=4.0.0 APP_VERSION=1.29.5 PCRE_VERSION=10.47 ZLIB_VERSION=2.3.3 diff --git a/README.md b/README.md index 1b754f8..734de13 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ spec: - **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000) - **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205) - **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001) +- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol ### **Supply Chain Integrity** - **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations) diff --git a/example.conf b/example.conf index 706a88a..6b04c8f 100644 --- a/example.conf +++ b/example.conf @@ -46,6 +46,10 @@ http { ssl_session_tickets off; ssl_session_timeout 1440m; ssl_buffer_size 4k; + # ssl_protocols TLSv1.3; + # ssl_ecdh_curve X25519MLKEM768:X25519; + # ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE:!COMPLEMENTOFDEFAULT; + # ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384; ssl_protocols TLSv1.3 TLSv1.2; ssl_ecdh_curve X25519MLKEM768:X25519:SecP384r1MLKEM1024:SecP256r1MLKEM768:secp521r1:secp384r1; ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20; @@ -56,6 +60,7 @@ http { ssl_certificate_key /etc/freenginx/ssl/privkey.pem; ssl_trusted_certificate /etc/freenginx/ssl/fullchain.pem; ssl_dhparam /etc/freenginx/ssl/dhparam.pem; + # ssl_ech_file /etc/angie/ssl/ech.pem.ech; ssl_stapling on; ssl_stapling_verify on; ssl_ocsp on; @@ -68,7 +73,9 @@ http { add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1' always; quic_retry on; quic_gso on; - log_format main '$time_iso8601 $ssl_server_name $scheme $ssl_alpn_protocol $status $uri $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; + log_format main '[$time_local] $request_time $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; + # log_format ech '[$time_local] $request_time "$request" $status $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher' + # 'ECH:$ssl_ech_status:$ssl_ech_outer_server_name $ssl_server_name'; log_format debug escape=json '{' '"@timestamp": "$time_iso8601", ' '"msec": "$msec", ' @@ -114,8 +121,9 @@ http { '"http_cf_ray": "$http_cf_ray", ' '"http_x_forwarded_proto": "$http_x_forwarded_proto" ' '}'; - access_log /dev/stdout simple; + access_log /dev/stdout main; error_log stderr warn; + gzip on; gzip_vary on; gzip_proxied any; From 1c93cdc7b94951c595e6d344a2188b245ff7e771 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 11:35:29 +0300 Subject: [PATCH 2/6] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- example.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example.conf b/example.conf index 6b04c8f..c3e0463 100644 --- a/example.conf +++ b/example.conf @@ -60,7 +60,7 @@ http { ssl_certificate_key /etc/freenginx/ssl/privkey.pem; ssl_trusted_certificate /etc/freenginx/ssl/fullchain.pem; ssl_dhparam /etc/freenginx/ssl/dhparam.pem; - # ssl_ech_file /etc/angie/ssl/ech.pem.ech; + # ssl_encrypted_hello_key /etc/angie/ssl/ech.pem.ech; ssl_stapling on; ssl_stapling_verify on; ssl_ocsp on; From c7ba452628bd8318504bee096f334bf1d0a19545 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 12:02:26 +0300 Subject: [PATCH 3/6] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 734de13..2555c8d 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,7 @@ spec: - **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000) - **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205) - **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001) -- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol +- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol (RFC 9849) ### **Supply Chain Integrity** - **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations) From 22836d53a8790369ede30ba543846d9c4091ec7d Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 12:41:52 +0300 Subject: [PATCH 4/6] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- example.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example.conf b/example.conf index c3e0463..740a199 100644 --- a/example.conf +++ b/example.conf @@ -1,4 +1,4 @@ -# This is an example of a configuration file for enabling QUIC, HTTP3 and "A+" SSL tests rating. Further configuration is required. +# This is an example of a configuration file for enabling QUIC, HTTP3, PQC, ECH and "A+" SSL tests rating. Further configuration is required. worker_processes auto; worker_rlimit_nofile 65536; pid /tmp/freenginx.pid; From 8d91b802eec3b96e02e196c0e04e0f57be6bca26 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 17:21:28 +0300 Subject: [PATCH 5/6] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2555c8d..b36a7d9 100644 --- a/README.md +++ b/README.md @@ -8,16 +8,16 @@ ![GitHub Maintained](https://img.shields.io/badge/open%20source-yes-orange) ![GitHub Maintained](https://img.shields.io/badge/maintained-yes-yellow) -> **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC and PQC support.** +> **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC, ECH and PQC support.** > [!IMPORTANT] -> QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️ +> QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC, ECH and QUIC⚠️ > [!IMPORTANT] > NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies⚠️ > [!TIP] -> You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3 and PQC💡 +> You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3, ECH and PQC💡 > [!IMPORTANT] > UID/GID changed to 10001 - it's [recommended](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Kubernetes and prevents conflicts with system users⚠️ From 8ebb86c785b47ea3319f47482e3934804373a7ba Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 17:23:26 +0300 Subject: [PATCH 6/6] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- Dockerfile.template | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 7132e03..b63bd14 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -194,11 +194,11 @@ COPY --chown="${UID}:${GID}" ./default.conf /etc/freenginx/conf.d/default.conf EXPOSE 8080/tcp 8443/tcp 8443/udp # OCI labels for image metadata -LABEL description="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \ +LABEL description="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \ maintainer="ammnt " \ - org.opencontainers.image.description="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \ + org.opencontainers.image.description="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \ org.opencontainers.image.authors="ammnt, admin@msftcnsi.com" \ - org.opencontainers.image.title="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \ + org.opencontainers.image.title="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \ org.opencontainers.image.source="https://github.com/ammnt/freenginx/" \ org.opencontainers.image.created=${BUILD_DATE} \ org.opencontainers.image.documentation="https://github.com/ammnt/freenginx/blob/main/README.md" \