boringssl.patch

diff --git a/export.sh b/export.sh
new file mode 100755
index 000000000..678d1ca41
--- /dev/null
+++ b/export.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+git diff d24a382 > boringssl.patch
+mv boringssl.patch ../curl-impersonate/chrome/patches/boringssl.patch
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e500dd76e..e75bca26b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1560,6 +1560,12 @@ OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
 // garbage inputs, unless an empty cipher list results.
 OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
 
+// curl-impersonate: set the extension order by given string
+OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
+
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
+
 // SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
 // |str| as a cipher string and returning error if |str| contains anything
 // meaningless. It returns one on success and zero on failure.
@@ -4583,6 +4589,12 @@ OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
 // permute extensions. For now, this is only implemented for the ClientHello.
 OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
 
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
+
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
+
 // SSL_set_permute_extensions configures whether sockets on |ssl| should
 // permute extensions. For now, this is only implemented for the ClientHello.
 OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index b13400097..8b457b873 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -3313,6 +3313,7 @@ bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {
       !permutation.Init(kNumExtensions)) {
     return false;
   }
+  // By default, nothing is permuted.
   for (size_t i = 0; i < kNumExtensions; i++) {
     permutation[i] = i;
   }
@@ -3320,6 +3321,11 @@ bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {
     // Set element |i| to a randomly-selected element 0 <= j <= i.
     std::swap(permutation[i], permutation[seeds[i - 1] % (i + 1)]);
   }
+  // fprintf(stderr, "the permuated order is set to:");
+  // for (size_t i = 0; i < kNumExtensions; i++) {
+  //   fprintf(stderr, "%d, ", permutation[i]);
+  // }
+  // fprintf(stderr, "\n");
   hs->extension_permutation = std::move(permutation);
   return true;
 }
@@ -3337,6 +3343,50 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index,
   return NULL;
 }
 
+// curl-impersonate: set customized extension order
+//
+// Generate the extension_permutation array from a customized extension order string.
+//
+// The customized extension order string is a dash-separated list of extensions.
+//
+bool ssl_set_extension_order(SSL_HANDSHAKE *hs) {
+  if (hs->config->extension_order == nullptr) {
+    return true;
+  }
+  // fprintf(stderr, "order %s\n", hs->config->extension_order);
+  Array<uint8_t> order;
+  if (!order.Init(kNumExtensions)) {
+    return false;
+  }
+  // By default, nothing is reordered.
+  for (size_t i = 0; i < kNumExtensions; i++) {
+    order[i] = 255;
+  }
+  // split the order string, and put there order in the table
+  const char *delimiter = "-";
+  char *tmp = strdup(hs->config->extension_order);
+  char *ext = strtok(tmp, delimiter);
+  size_t idx = 0;
+  while (ext != nullptr) {
+    unsigned ext_index;
+    tls_extension_find(&ext_index, atoi(ext));
+    // fprintf(stderr, "found %d -> %d, ", atoi(ext), ext_index);
+    order[idx] = ext_index;
+    ext = strtok(NULL, delimiter);
+    idx++;
+  }
+  // fprintf(stderr, "\n");
+  // fprintf(stderr, "the order is set to:");
+  // for (size_t i = 0; i < kNumExtensions; i++) {
+  //   fprintf(stderr, "%d, ", order[i]);
+  // }
+  // fprintf(stderr, "\n");
+  free(tmp);
+
+  hs->extension_permutation = std::move(order);
+  return true;
+}
+
 static bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) {
   CBB child;
   if (!CBB_add_u16(cbb, ext) ||  //
@@ -3383,6 +3433,9 @@ static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,
     size_t i = hs->extension_permutation.empty()
                    ? unpermuted
                    : hs->extension_permutation[unpermuted];
+    // fprintf(stderr, "extension %zu,", i);
+    // fprintf(stderr, "\n");
+    if (i == 255) { continue; } // curl-impersonate: skip non-exist extensions
     const size_t len_before = CBB_len(&extensions);
     const size_t len_compressed_before = CBB_len(compressed.get());
     if (!kExtensions[i].add_clienthello(hs, &extensions, compressed.get(),
@@ -3492,6 +3545,7 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
     size_t i = hs->extension_permutation.empty()
                    ? unpermuted
                    : hs->extension_permutation[unpermuted];
+    if (i == 255) { continue; } // curl-impersonate: skip non-exist extensions
     const size_t len_before = CBB_len(&extensions);
     if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 971ebd0b1..effe5c920 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -215,14 +215,6 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
   }
 }
 
-static bool ssl_add_tls13_cipher(CBB *cbb, uint16_t cipher_id,
-                                 ssl_compliance_policy_t policy) {
-  if (ssl_tls13_cipher_meets_policy(cipher_id, policy)) {
-    return CBB_add_u16(cbb, cipher_id);
-  }
-  return true;
-}
-
 static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
                                          ssl_client_hello_type_t type) {
   const SSL *const ssl = hs->ssl;
@@ -240,28 +232,7 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
     return false;
   }
 
-  // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
-  // hardware support.
-  if (hs->max_version >= TLS1_3_VERSION) {
-    const bool has_aes_hw = ssl->config->aes_hw_override
-                                ? ssl->config->aes_hw_override_value
-                                : EVP_has_aes_hardware();
-
-    if ((!has_aes_hw &&  //
-         !ssl_add_tls13_cipher(&child,
-                               TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-                               ssl->config->tls13_cipher_policy)) ||
-        !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
-                              ssl->config->tls13_cipher_policy) ||
-        !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
-                              ssl->config->tls13_cipher_policy) ||
-        (has_aes_hw &&  //
-         !ssl_add_tls13_cipher(&child,
-                               TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-                               ssl->config->tls13_cipher_policy))) {
-      return false;
-    }
-  }
+  // curl-impersonate: TLS 1.3 suites are added uniformly with other suites.
 
   if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {
     bool any_enabled = false;
@@ -539,6 +510,7 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
 
   if (!ssl_setup_key_shares(hs, /*override_group_id=*/0) ||
       !ssl_setup_extension_permutation(hs) ||
+      !ssl_set_extension_order(hs) ||
       !ssl_encrypt_client_hello(hs, MakeConstSpan(ech_enc, ech_enc_len)) ||
       !ssl_add_client_hello(hs)) {
     return ssl_hs_error;
@@ -1402,7 +1374,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
     ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
                                        ? key_usage_encipherment
                                        : key_usage_digital_signature;
-    if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
+    if (hs->config->key_usage_check_enabled &&
+        !ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
       if (hs->config->enforce_rsa_key_usage ||
           EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
         return ssl_hs_error;
diff --git a/ssl/internal.h b/ssl/internal.h
index c9facb699..a32e9b4ba 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -574,9 +574,14 @@ BSSL_NAMESPACE_BEGIN
 
 // Bits for |algorithm_mac| (symmetric authentication).
 #define SSL_SHA1 0x00000001u
+// curl-impersonate:
+// SSL_SHA256 and SSL_SHA384 were removed in
+// https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+// but restored to impersonate browsers with older ciphers.
 #define SSL_SHA256 0x00000002u
+#define SSL_SHA384 0x00000004u
 // SSL_AEAD is set for all AEADs.
-#define SSL_AEAD 0x00000004u
+#define SSL_AEAD 0x00000008u
 
 // Bits for |algorithm_prf| (handshake digest).
 #define SSL_HANDSHAKE_MAC_DEFAULT 0x1
@@ -2161,6 +2166,12 @@ bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
 // for |hs|, if applicable. It returns true on success and false on error.
 bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs);
 
+// curl-impersonate
+bool ssl_set_extension_order(SSL_HANDSHAKE *hs);
+
+// curl-impersonate
+bool ssl_set_key_usage_check_enabled(SSL_HANDSHAKE *hs);
+
 // ssl_setup_key_shares computes client key shares and saves them in |hs|. It
 // returns true on success and false on failure. If |override_group_id| is zero,
 // it offers the default groups, including GREASE. If it is non-zero, it offers
@@ -3033,6 +3044,12 @@ struct SSL_CONFIG {
   // crypto
   UniquePtr<SSLCipherPreferenceList> cipher_list;
 
+  // curl-impersonate
+  char *extension_order = nullptr;
+
+  // curl-impersonate
+  int key_usage_check_enabled = 1;
+
   // This is used to hold the local certificate used (i.e. the server
   // certificate for a server or the client certificate for a client).
   UniquePtr<CERT> cert;
@@ -3490,6 +3507,12 @@ struct ssl_ctx_st {
 
   bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list;
 
+  // curl-impersonate
+  char *extension_order = nullptr;
+
+  // curl-impersonate
+  int key_usage_check_enabled = 1;
+
   X509_STORE *cert_store = nullptr;
   LHASH_OF(SSL_SESSION) *sessions = nullptr;
   // Most session-ids that will be cached, default is
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index fd8cef95d..3d2c8ff6d 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -197,6 +197,37 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
+    // curl-impersonate: Ciphers 3C, 3D were removed in
+    // https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored here to impersonate browsers with older ciphers. They are
+    // not expected to actually work; but just to be included in the TLS
+    // Client Hello.
+
+    // TLS v1.2 ciphersuites
+
+    // Cipher 3C
+    {
+     TLS1_TXT_RSA_WITH_AES_128_SHA256,
+     "TLS_RSA_WITH_AES_128_CBC_SHA256",
+     TLS1_CK_RSA_WITH_AES_128_SHA256,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES128,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+    // Cipher 3D
+    {
+     TLS1_TXT_RSA_WITH_AES_256_SHA256,
+     "TLS_RSA_WITH_AES_256_CBC_SHA256",
+     TLS1_CK_RSA_WITH_AES_256_SHA256,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES256,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+
     // PSK cipher suites.
 
     // Cipher 8C
@@ -287,6 +318,23 @@ static constexpr SSL_CIPHER kCiphers[] = {
       SSL_HANDSHAKE_MAC_SHA256,
     },
 
+    // curl-impersonate: Cipher C008 was missing from BoringSSL,
+    // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c)
+    // where it is called ECDHE-ECDSA-DES-CBC3-SHA.
+    // It's not supposed to really work but just appear in the TLS client hello.
+
+    // Cipher C008
+    {
+     "ECDHE-ECDSA-DES-CBC3-SHA",
+     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+     0x0300C008,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_3DES,
+     SSL_SHA1,
+     SSL_HANDSHAKE_MAC_DEFAULT,
+    },
+
     // Cipher C009
     {
      TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
@@ -311,6 +359,21 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
+    // curl-impersonate: Cipher C012 was missing from BoringSSL,
+    // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c)
+    // where it is called ECDHE-RSA-DES-CBC3-SHA
+    // It's not supposed to really work but just appear in the TLS client hello.
+    {
+     "ECDHE-RSA-DES-CBC3-SHA",
+     "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+     0x0300C012,
+     SSL_kECDHE,
+     SSL_aRSA,
+     SSL_3DES,
+     SSL_SHA1,
+     SSL_HANDSHAKE_MAC_DEFAULT,
+    },
+
     // Cipher C013
     {
      TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
@@ -335,6 +398,36 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
+    // curl-impersonate: Ciphers C023, C024, C027, C028 were removed in
+    // https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored here to impersonate browsers with older ciphers. They are
+    // not expected to actually work; but just to be included in the TLS
+    // Client Hello.
+
+    // HMAC based TLS v1.2 ciphersuites from RFC5289
+
+    // Cipher C023
+    {
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES128,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+    // Cipher C024
+    {
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES256,
+     SSL_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
     // Cipher C027
     {
      TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
@@ -346,6 +439,17 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_SHA256,
      SSL_HANDSHAKE_MAC_SHA256,
     },
+    // Cipher C028
+    {
+     TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
+     "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+     SSL_kECDHE,
+     SSL_aRSA,
+     SSL_AES256,
+     SSL_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
 
     // GCM based TLS v1.2 ciphersuites from RFC 5289
 
@@ -467,16 +571,6 @@ Span<const SSL_CIPHER> AllCiphers() {
   return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers));
 }
 
-static constexpr size_t NumTLS13Ciphers() {
-  size_t num = 0;
-  for (const auto &cipher : kCiphers) {
-    if (cipher.algorithm_mkey == SSL_kGENERIC) {
-      num++;
-    }
-  }
-  return num;
-}
-
 #define CIPHER_ADD 1
 #define CIPHER_KILL 2
 #define CIPHER_DEL 3
@@ -554,6 +648,11 @@ static const CIPHER_ALIAS kCipherAliases[] = {
     // MAC aliases
     {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
     {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
+    // curl-impersonate:
+    // Removed in https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored to impersonate browsers with older ciphers.
+    {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
+    {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
 
     // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
     // same as "SSLv3".
@@ -1154,13 +1253,22 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
       TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
   };
   static const uint16_t kLegacyCiphers[] = {
+      TLS1_CK_RSA_WITH_AES_128_SHA256 & 0xffff,
+      TLS1_CK_RSA_WITH_AES_256_SHA256 & 0xffff,
+      0x0300C008 & 0xffff,
+      // TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA & 0xffff,
       TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA & 0xffff,
+      0x0300C012 & 0xffff,
+      // TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA & 0xffff,
       TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 & 0xffff,  // C023
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 & 0xffff,   // C024
       TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 & 0xffff,  // C028
       TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
       TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,
       TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff,
@@ -1169,11 +1277,16 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
       TLS1_CK_PSK_WITH_AES_256_CBC_SHA & 0xffff,
       SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,
   };
+  // curl-impersonate: add TLS 1.3 ciphers here for ordering
+  static const uint16_t kTLS13Ciphers[] = {
+      TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
+      TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
+      TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+  };
 
   // Set up a linked list of ciphers.
-  CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kAESCiphers) +
-                       OPENSSL_ARRAY_SIZE(kChaChaCiphers) +
-                       OPENSSL_ARRAY_SIZE(kLegacyCiphers)];
+  CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kCiphers)];
+
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(co_list); i++) {
     co_list[i].next =
         i + 1 < OPENSSL_ARRAY_SIZE(co_list) ? &co_list[i + 1] : nullptr;
@@ -1209,8 +1322,13 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
     co_list[num++].cipher = SSL_get_cipher_by_value(id);
     assert(co_list[num - 1].cipher != nullptr);
   }
+  // curl-impersonate: add TLS 1.3 ciphers here for ordering
+  for (uint16_t id: kTLS13Ciphers) {
+    co_list[num++].cipher = SSL_get_cipher_by_value(id);
+    assert(co_list[num - 1].cipher != nullptr);
+  }
   assert(num == OPENSSL_ARRAY_SIZE(co_list));
-  static_assert(OPENSSL_ARRAY_SIZE(co_list) + NumTLS13Ciphers() ==
+  static_assert(OPENSSL_ARRAY_SIZE(co_list) ==
                     OPENSSL_ARRAY_SIZE(kCiphers),
                 "Not all ciphers are included in the cipher order");
 
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 58b68e675..455ee4dd0 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -657,6 +657,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->config->retain_only_sha256_of_client_certs =
       ctx->retain_only_sha256_of_client_certs;
   ssl->config->permute_extensions = ctx->permute_extensions;
+  ssl->config->extension_order = ctx->extension_order;  // curl-impersonate
+  ssl->config->key_usage_check_enabled = ctx->key_usage_check_enabled;  // curl-impersonate
   ssl->config->aes_hw_override = ctx->aes_hw_override;
   ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
   ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
@@ -3015,6 +3017,17 @@ void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
   ctx->permute_extensions = !!enabled;
 }
 
+// curl-impersonate: set extensions order
+int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order) {
+  ctx->extension_order = order;
+  return 0;
+}
+
+int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->key_usage_check_enabled = enabled;
+  return 0;
+}
+
 void SSL_set_permute_extensions(SSL *ssl, int enabled) {
   if (!ssl->config) {
     return;
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 57116cd6c..fa1652832 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -594,7 +594,7 @@ static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
 
 static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
   if (!sigalgs_unique(prefs)) {
-    return false;
+    // return false;
   }
 
   // Check for invalid algorithms, and filter out |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.