From 647c4f428ccf9b1fa4a2291b75ecee366d2bb16f Mon Sep 17 00:00:00 2001
From: lwthiker <lwt@lwthiker.com>
Date: Sat, 19 Feb 2022 00:48:26 +0200
Subject: [PATCH] Finalize TLS Client Hello to impersonate Chrome

---
 Dockerfile.chrome  |  5 +++--
 curl-openssl.patch | 25 +++++++++++++++++--------
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/Dockerfile.chrome b/Dockerfile.chrome
index b9330d0..863de0d 100644
--- a/Dockerfile.chrome
+++ b/Dockerfile.chrome
@@ -61,9 +61,10 @@ RUN cd ${CURL_VERSION} && \
     for p in $(ls curl-*.patch); do patch -p1 < $p; done && \
     autoreconf -fi
 
-# Compile curl with BoringSSL
+# Compile curl with BoringSSL & nghttp2.
+# Enable keylogfile for debugging of TLS traffic.
 RUN cd ${CURL_VERSION} && \
-    ./configure --with-openssl=/build/boringssl/build --enable-static --disable-shared --with-nghttp2=/usr/local LIBS="-pthread" CFLAGS="-I/build/boringssl/build" && \
+    ./configure --with-openssl=/build/boringssl/build --enable-static --disable-shared --with-nghttp2=/usr/local LIBS="-pthread" CFLAGS="-I/build/boringssl/build" USE_CURL_SSLKEYLOGFILE=true && \
     make
 
 # 'xxd' is needed for the wrapper script
diff --git a/curl-openssl.patch b/curl-openssl.patch
index 22db8ab..ada8b0d 100644
--- a/curl-openssl.patch
+++ b/curl-openssl.patch
@@ -1,5 +1,5 @@
 --- curl-7.81.0-original/lib/vtls/openssl.c	2022-01-03 18:36:46.000000000 +0200
-+++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 18:07:04.220805893 +0200
++++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 20:02:23.559231773 +0200
 @@ -78,2 +78,4 @@
  
 +#include <brotli/decode.h>
@@ -49,7 +49,7 @@
      SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data);
 +  */
  #endif
-@@ -2939,2 +2972,19 @@
+@@ -2939,2 +2972,15 @@
  
 +  /* curl-impersonate:
 +   * Configure BoringSSL to behave like Chrome. 
@@ -64,21 +64,30 @@
 +   * Add Brotli decompression. See Chromium net/ssl/cert_compression.cc */
 +  SSL_CTX_add_cert_compression_alg(backend->ctx,
 +          TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert);
-+
-+  /* Enable TLS extensions 5 - status_request and 18 - signed_certificate_timestamp. */
-+  SSL_CTX_enable_ocsp_stapling(backend->ctx);
-+  SSL_CTX_enable_signed_cert_timestamps(backend->ctx);
  
-@@ -3238,2 +3288,24 @@
+@@ -3238,2 +3284,37 @@
  
 +#ifdef USE_HTTP2
 +  /* curl-impersonate: This adds the ALPS extension (17513).
 +   * Chromium calls this function as well in SSLClientSocketImpl::Init().
 +   * The 4th parameter is called "settings", and I don't know what it
 +   * should contain. For now, use an empty string. */
-+  SSL_add_application_settings(backend->handle, "h2", 2, "", 0);
++  SSL_add_application_settings(backend->handle, "h2", 2, NULL, 0);
 +#endif
 +
++  SSL_set_options(backend->handle,
++      SSL_OP_LEGACY_SERVER_CONNECT);
++  SSL_set_mode(backend->handle,
++      SSL_MODE_CBC_RECORD_SPLITTING | SSL_MODE_ENABLE_FALSE_START);
++
++  /* curl-impersonate: Enable TLS extensions 5 - status_request and
++   * 18 - signed_certificate_timestamp. */
++  SSL_enable_signed_cert_timestamps(backend->handle);
++  SSL_enable_ocsp_stapling(backend->handle);
++
++  /* curl-impersonate: Some SSL settings copied over from Chrome. */
++  SSL_set_shed_handshake_config(backend->handle, 1);
++
 +  /* curl-impersonate: Set the signature algorithms.
 +   * (TLS extension 13).
 +   * See net/socket/ssl_client_socket_impl.cc in Chromium's source. */