boringssl.patch

diff --git a/export.sh b/export.sh
new file mode 100755
index 000000000..7053c8cde
--- /dev/null
+++ b/export.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# From here: https://chromium.googlesource.com/chromium/src.git/+/refs/tags/131.0.6778.86/DEPS
+
+BASE_COMMIT=cd95210465496ac2337b313cf49f607762abe286
+
+git diff $BASE_COMMIT > boringssl.patch
+mv boringssl.patch ../curl-impersonate/chrome/patches/boringssl.patch
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7f733ac93..f4db5e346 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1767,6 +1767,12 @@ OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
 // garbage inputs, unless an empty cipher list results.
 OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
 
+// curl-impersonate: set the extension order by given string
+OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
+
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
+
 // SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
 // |str| as a cipher string and returning error if |str| contains anything
 // meaningless. It returns one on success and zero on failure.
@@ -4865,6 +4871,12 @@ OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
 // permute extensions. For now, this is only implemented for the ClientHello.
 OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
 
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
+
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
+
 // SSL_set_permute_extensions configures whether sockets on |ssl| should
 // permute extensions. For now, this is only implemented for the ClientHello.
 OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index c9424c98b..ee757ea72 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -3355,6 +3355,7 @@ bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {
       !permutation.Init(kNumExtensions)) {
     return false;
   }
+  // By default, nothing is permuted.
   for (size_t i = 0; i < kNumExtensions; i++) {
     permutation[i] = i;
   }
@@ -3362,6 +3363,11 @@ bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {
     // Set element |i| to a randomly-selected element 0 <= j <= i.
     std::swap(permutation[i], permutation[seeds[i - 1] % (i + 1)]);
   }
+  // fprintf(stderr, "the permuated order is set to:");
+  // for (size_t i = 0; i < kNumExtensions; i++) {
+  //   fprintf(stderr, "%d, ", permutation[i]);
+  // }
+  // fprintf(stderr, "\n");
   hs->extension_permutation = std::move(permutation);
   return true;
 }
@@ -3379,6 +3385,50 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index,
   return NULL;
 }
 
+// curl-impersonate: set customized extension order
+//
+// Generate the extension_permutation array from a customized extension order string.
+//
+// The customized extension order string is a dash-separated list of extensions.
+//
+bool ssl_set_extension_order(SSL_HANDSHAKE *hs) {
+  if (hs->config->extension_order == nullptr) {
+    return true;
+  }
+  // fprintf(stderr, "order %s\n", hs->config->extension_order);
+  Array<uint8_t> order;
+  if (!order.Init(kNumExtensions)) {
+    return false;
+  }
+  // By default, nothing is reordered.
+  for (size_t i = 0; i < kNumExtensions; i++) {
+    order[i] = 255;
+  }
+  // split the order string, and put there order in the table
+  const char *delimiter = "-";
+  char *tmp = strdup(hs->config->extension_order);
+  char *ext = strtok(tmp, delimiter);
+  size_t idx = 0;
+  while (ext != nullptr) {
+    unsigned ext_index;
+    tls_extension_find(&ext_index, atoi(ext));
+    // fprintf(stderr, "found %d -> %d, ", atoi(ext), ext_index);
+    order[idx] = ext_index;
+    ext = strtok(NULL, delimiter);
+    idx++;
+  }
+  // fprintf(stderr, "\n");
+  // fprintf(stderr, "the order is set to:");
+  // for (size_t i = 0; i < kNumExtensions; i++) {
+  //   fprintf(stderr, "%d, ", order[i]);
+  // }
+  // fprintf(stderr, "\n");
+  free(tmp);
+
+  hs->extension_permutation = std::move(order);
+  return true;
+}
+
 static bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) {
   CBB child;
   if (!CBB_add_u16(cbb, ext) ||  //
@@ -3425,6 +3475,9 @@ static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,
     size_t i = hs->extension_permutation.empty()
                    ? unpermuted
                    : hs->extension_permutation[unpermuted];
+    // fprintf(stderr, "extension %zu,", i);
+    // fprintf(stderr, "\n");
+    if (i == 255) { continue; } // curl-impersonate: skip non-exist extensions
     const size_t len_before = CBB_len(&extensions);
     const size_t len_compressed_before = CBB_len(compressed.get());
     if (!kExtensions[i].add_clienthello(hs, &extensions, compressed.get(),
@@ -3534,6 +3587,7 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
     size_t i = hs->extension_permutation.empty()
                    ? unpermuted
                    : hs->extension_permutation[unpermuted];
+    if (i == 255) { continue; } // curl-impersonate: skip non-exist extensions
     const size_t len_before = CBB_len(&extensions);
     if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index f87e00002..daa805266 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -215,14 +215,6 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
   }
 }
 
-static bool ssl_add_tls13_cipher(CBB *cbb, uint16_t cipher_id,
-                                 ssl_compliance_policy_t policy) {
-  if (ssl_tls13_cipher_meets_policy(cipher_id, policy)) {
-    return CBB_add_u16(cbb, cipher_id);
-  }
-  return true;
-}
-
 static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
                                          ssl_client_hello_type_t type) {
   const SSL *const ssl = hs->ssl;
@@ -240,41 +232,9 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
     return false;
   }
 
-  // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
-  // hardware support.
-  if (hs->max_version >= TLS1_3_VERSION) {
-    static const uint16_t kCiphersNoAESHardware[] = {
-        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-        TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
-        TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
-    };
-    static const uint16_t kCiphersAESHardware[] = {
-        TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
-        TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
-        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-    };
-    static const uint16_t kCiphersCNSA[] = {
-        TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
-        TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
-        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-    };
-
-    const bool has_aes_hw = ssl->config->aes_hw_override
-                                ? ssl->config->aes_hw_override_value
-                                : EVP_has_aes_hardware();
-    const bssl::Span<const uint16_t> ciphers =
-        ssl->config->tls13_cipher_policy == ssl_compliance_policy_cnsa_202407
-            ? bssl::Span<const uint16_t>(kCiphersCNSA)
-            : (has_aes_hw ? bssl::Span<const uint16_t>(kCiphersAESHardware)
-                          : bssl::Span<const uint16_t>(kCiphersNoAESHardware));
-
-    for (auto cipher : ciphers) {
-      if (!ssl_add_tls13_cipher(&child, cipher,
-                                ssl->config->tls13_cipher_policy)) {
-        return false;
-      }
-    }
-  }
+  // curl-impersonate: TLS 1.3 suites are added uniformly with other suites.
+  // TODO: in new versions, perhaps it's OK to keep the original code here.
+
 
   if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {
     bool any_enabled = false;
@@ -326,8 +286,7 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,
   }
 
   // Do not send a session ID on renegotiation.
-  if (!ssl->s3->initial_handshake_complete &&
-      !empty_session_id &&
+  if (!ssl->s3->initial_handshake_complete && !empty_session_id &&
       !CBB_add_bytes(&child, hs->session_id.data(), hs->session_id.size())) {
     return false;
   }
@@ -408,7 +367,7 @@ static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,
   }
 
   if (!CBS_get_u16(&supported_versions.data, out_version) ||
-       CBS_len(&supported_versions.data) != 0) {
+      CBS_len(&supported_versions.data) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
     return false;
   }
@@ -555,8 +514,9 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
     hs->early_data_offered = true;
   }
 
+  // curl-impersonate: set extension orders
   if (!ssl_setup_key_shares(hs, /*override_group_id=*/0) ||
-      !ssl_setup_extension_permutation(hs) ||
+      !ssl_setup_extension_permutation(hs) || !ssl_set_extension_order(hs) ||
       !ssl_encrypt_client_hello(hs, MakeConstSpan(ech_enc, ech_enc_len)) ||
       !ssl_add_client_hello(hs)) {
     return ssl_hs_error;
@@ -583,7 +543,8 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
   return ssl_hs_ok;
 }
 
-static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_early_reverify_server_certificate(
+    SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (ssl->ctx->reverify_on_resume) {
     // Don't send an alert on error. The alert would be in the clear, which the
@@ -815,8 +776,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
   uint32_t mask_a, mask_k;
   ssl_get_client_disabled(hs, &mask_a, &mask_k);
-  if (cipher == nullptr ||
-      (cipher->algorithm_mkey & mask_k) ||
+  if (cipher == nullptr || (cipher->algorithm_mkey & mask_k) ||
       (cipher->algorithm_auth & mask_a) ||
       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
@@ -1018,8 +978,7 @@ static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) {
   if (!CBS_get_u8(&certificate_status, &status_type) ||
       status_type != TLSEXT_STATUSTYPE_ocsp ||
       !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
-      CBS_len(&ocsp_response) == 0 ||
-      CBS_len(&certificate_status) != 0) {
+      CBS_len(&ocsp_response) == 0 || CBS_len(&certificate_status) != 0) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     return ssl_hs_error;
@@ -1480,7 +1439,9 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
     ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
                                        ? key_usage_encipherment
                                        : key_usage_digital_signature;
-    if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
+    // curl-impersonate: optionally disable ssl key usage check
+    if (hs->config->key_usage_check_enabled &&
+        !ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
       if (hs->config->enforce_rsa_key_usage ||
           EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
         return ssl_hs_error;
@@ -1551,8 +1512,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
         !CBB_reserve(&enc_pms, &ptr, RSA_size(rsa)) ||
         !RSA_encrypt(rsa, &enc_pms_len, ptr, RSA_size(rsa), pms.data(),
                      pms.size(), RSA_PKCS1_PADDING) ||
-        !CBB_did_write(&enc_pms, enc_pms_len) ||
-        !CBB_flush(&body)) {
+        !CBB_did_write(&enc_pms, enc_pms_len) || !CBB_flush(&body)) {
       return ssl_hs_error;
     }
   } else if (alg_k & SSL_kECDHE) {
@@ -1665,8 +1625,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
       return ssl_hs_private_key_operation;
   }
 
-  if (!CBB_did_write(&child, sig_len) ||
-      !ssl_add_message_cbb(ssl, cbb.get())) {
+  if (!CBB_did_write(&child, sig_len) || !ssl_add_message_cbb(ssl, cbb.get())) {
     return ssl_hs_error;
   }
 
@@ -1735,8 +1694,7 @@ static bool can_false_start(const SSL_HANDSHAKE *hs) {
   // TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to
   // sacrifice False Start on them. Instead, we rely on the ServerHello.random
   // downgrade signal, which we unconditionally enforce.
-  if (SSL_is_dtls(ssl) ||
-      SSL_version(ssl) != TLS1_2_VERSION ||
+  if (SSL_is_dtls(ssl) || SSL_version(ssl) != TLS1_2_VERSION ||
       hs->new_cipher->algorithm_mkey != SSL_kECDHE ||
       hs->new_cipher->algorithm_mac != SSL_AEAD) {
     return false;
diff --git a/ssl/internal.h b/ssl/internal.h
index 092b2987e..5ace601f6 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -807,9 +807,14 @@ BSSL_NAMESPACE_BEGIN
 
 // Bits for |algorithm_mac| (symmetric authentication).
 #define SSL_SHA1 0x00000001u
+// curl-impersonate:
+// SSL_SHA256 and SSL_SHA384 were removed in
+// https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+// but restored to impersonate browsers with older ciphers.
 #define SSL_SHA256 0x00000002u
+#define SSL_SHA384 0x00000004u
 // SSL_AEAD is set for all AEADs.
-#define SSL_AEAD 0x00000004u
+#define SSL_AEAD 0x00000008u
 
 // Bits for |algorithm_prf| (handshake digest).
 #define SSL_HANDSHAKE_MAC_DEFAULT 0x1
@@ -2514,6 +2519,12 @@ bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
 // for |hs|, if applicable. It returns true on success and false on error.
 bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs);
 
+// curl-impersonate
+bool ssl_set_extension_order(SSL_HANDSHAKE *hs);
+
+// curl-impersonate
+bool ssl_set_key_usage_check_enabled(SSL_HANDSHAKE *hs);
+
 // ssl_setup_key_shares computes client key shares and saves them in |hs|. It
 // returns true on success and false on failure. If |override_group_id| is zero,
 // it offers the default groups, including GREASE. If it is non-zero, it offers
@@ -3382,6 +3393,12 @@ struct SSL_CONFIG {
   // crypto
   UniquePtr<SSLCipherPreferenceList> cipher_list;
 
+  // curl-impersonate
+  char *extension_order = nullptr;
+
+  // curl-impersonate
+  int key_usage_check_enabled = 1;
+
   // This is used to hold the local certificate used (i.e. the server
   // certificate for a server or the client certificate for a client).
   UniquePtr<CERT> cert;
@@ -3856,6 +3873,12 @@ struct ssl_ctx_st : public bssl::RefCounted<ssl_ctx_st> {
 
   bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list;
 
+  // curl-impersonate
+  char *extension_order = nullptr;
+
+  // curl-impersonate
+  int key_usage_check_enabled = 1;
+
   X509_STORE *cert_store = nullptr;
   LHASH_OF(SSL_SESSION) *sessions = nullptr;
   // Most session-ids that will be cached, default is
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 97e69ff90..dc3ca1526 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -197,6 +197,37 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
+    // curl-impersonate: Ciphers 3C, 3D were removed in
+    // https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored here to impersonate browsers with older ciphers. They are
+    // not expected to actually work; but just to be included in the TLS
+    // Client Hello.
+
+    // TLS v1.2 ciphersuites
+
+    // Cipher 3C
+    {
+     TLS1_TXT_RSA_WITH_AES_128_SHA256,
+     "TLS_RSA_WITH_AES_128_CBC_SHA256",
+     TLS1_CK_RSA_WITH_AES_128_SHA256,
+     SSL_kRSA,
+     SSL_aRSA_SIGN,
+     SSL_AES128,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+    // Cipher 3D
+    {
+     TLS1_TXT_RSA_WITH_AES_256_SHA256,
+     "TLS_RSA_WITH_AES_256_CBC_SHA256",
+     TLS1_CK_RSA_WITH_AES_256_SHA256,
+     SSL_kRSA,
+     SSL_aRSA_SIGN,
+     SSL_AES256,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+
     // PSK cipher suites.
 
     // Cipher 8C
@@ -287,6 +318,23 @@ static constexpr SSL_CIPHER kCiphers[] = {
       SSL_HANDSHAKE_MAC_SHA256,
     },
 
+    // curl-impersonate: Cipher C008 was missing from BoringSSL,
+    // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c)
+    // where it is called ECDHE-ECDSA-DES-CBC3-SHA.
+    // It's not supposed to really work but just appear in the TLS client hello.
+
+    // Cipher C008
+    {
+     "ECDHE-ECDSA-DES-CBC3-SHA",
+     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+     0x0300C008,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_3DES,
+     SSL_SHA1,
+     SSL_HANDSHAKE_MAC_DEFAULT,
+    },
+
     // Cipher C009
     {
      TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
@@ -311,6 +359,21 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
+    // curl-impersonate: Cipher C012 was missing from BoringSSL,
+    // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c)
+    // where it is called ECDHE-RSA-DES-CBC3-SHA
+    // It's not supposed to really work but just appear in the TLS client hello.
+    {
+     "ECDHE-RSA-DES-CBC3-SHA",
+     "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+     0x0300C012,
+     SSL_kECDHE,
+     SSL_aRSA_SIGN,
+     SSL_3DES,
+     SSL_SHA1,
+     SSL_HANDSHAKE_MAC_DEFAULT,
+    },
+
     // Cipher C013
     {
      TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
@@ -335,6 +398,36 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
+    // curl-impersonate: Ciphers C023, C024, C027, C028 were removed in
+    // https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored here to impersonate browsers with older ciphers. They are
+    // not expected to actually work; but just to be included in the TLS
+    // Client Hello.
+
+    // HMAC based TLS v1.2 ciphersuites from RFC5289
+
+    // Cipher C023
+    {
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES128,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+    // Cipher C024
+    {
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES256,
+     SSL_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
     // Cipher C027
     {
      TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
@@ -346,6 +439,17 @@ static constexpr SSL_CIPHER kCiphers[] = {
      SSL_SHA256,
      SSL_HANDSHAKE_MAC_SHA256,
     },
+    // Cipher C028
+    {
+     TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
+     "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+     SSL_kECDHE,
+     SSL_aRSA_SIGN,
+     SSL_AES256,
+     SSL_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
 
     // GCM based TLS v1.2 ciphersuites from RFC 5289
 
@@ -467,16 +571,6 @@ Span<const SSL_CIPHER> AllCiphers() {
   return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers));
 }
 
-static constexpr size_t NumTLS13Ciphers() {
-  size_t num = 0;
-  for (const auto &cipher : kCiphers) {
-    if (cipher.algorithm_mkey == SSL_kGENERIC) {
-      num++;
-    }
-  }
-  return num;
-}
-
 #define CIPHER_ADD 1
 #define CIPHER_KILL 2
 #define CIPHER_DEL 3
@@ -554,6 +648,11 @@ static const CIPHER_ALIAS kCipherAliases[] = {
     // MAC aliases
     {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
     {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
+    // curl-impersonate:
+    // Removed in https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored to impersonate browsers with older ciphers.
+    {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
+    {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
 
     // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
     // same as "SSLv3".
@@ -1147,13 +1246,22 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
       TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
   };
   static const uint16_t kLegacyCiphers[] = {
+      TLS1_CK_RSA_WITH_AES_128_SHA256 & 0xffff,
+      TLS1_CK_RSA_WITH_AES_256_SHA256 & 0xffff,
+      0x0300C008 & 0xffff,
+      // TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA & 0xffff,
       TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA & 0xffff,
+      0x0300C012 & 0xffff,
+      // TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA & 0xffff,
       TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA & 0xffff,
       TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 & 0xffff,  // C023
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 & 0xffff,   // C024
       TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 & 0xffff,  // C028
       TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
       TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,
       TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff,
@@ -1162,11 +1270,16 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
       TLS1_CK_PSK_WITH_AES_256_CBC_SHA & 0xffff,
       SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,
   };
+  // curl-impersonate: add TLS 1.3 ciphers here for ordering
+  static const uint16_t kTLS13Ciphers[] = {
+      TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
+      TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
+      TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+  };
 
   // Set up a linked list of ciphers.
-  CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kAESCiphers) +
-                       OPENSSL_ARRAY_SIZE(kChaChaCiphers) +
-                       OPENSSL_ARRAY_SIZE(kLegacyCiphers)];
+  CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kCiphers)];
+
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(co_list); i++) {
     co_list[i].next =
         i + 1 < OPENSSL_ARRAY_SIZE(co_list) ? &co_list[i + 1] : nullptr;
@@ -1202,8 +1315,13 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
     co_list[num++].cipher = SSL_get_cipher_by_value(id);
     assert(co_list[num - 1].cipher != nullptr);
   }
+  // curl-impersonate: add TLS 1.3 ciphers here for ordering
+  for (uint16_t id: kTLS13Ciphers) {
+    co_list[num++].cipher = SSL_get_cipher_by_value(id);
+    assert(co_list[num - 1].cipher != nullptr);
+  }
   assert(num == OPENSSL_ARRAY_SIZE(co_list));
-  static_assert(OPENSSL_ARRAY_SIZE(co_list) + NumTLS13Ciphers() ==
+  static_assert(OPENSSL_ARRAY_SIZE(co_list) ==
                     OPENSSL_ARRAY_SIZE(kCiphers),
                 "Not all ciphers are included in the cipher order");
 
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index f0b3872e9..e7e23a14d 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -658,6 +658,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->config->retain_only_sha256_of_client_certs =
       ctx->retain_only_sha256_of_client_certs;
   ssl->config->permute_extensions = ctx->permute_extensions;
+  ssl->config->extension_order = ctx->extension_order;  // curl-impersonate
+  ssl->config->key_usage_check_enabled = ctx->key_usage_check_enabled;  // curl-impersonate
   ssl->config->aes_hw_override = ctx->aes_hw_override;
   ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
   ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
@@ -3029,6 +3031,17 @@ void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
   ctx->permute_extensions = !!enabled;
 }
 
+// curl-impersonate: set extensions order
+int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order) {
+  ctx->extension_order = order;
+  return 0;
+}
+
+int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->key_usage_check_enabled = enabled;
+  return 0;
+}
+
 void SSL_set_permute_extensions(SSL *ssl, int enabled) {
   if (!ssl->config) {
     return;
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 76ba0849d..819cc53ba 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -598,7 +598,7 @@ static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
 
 static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
   if (!sigalgs_unique(prefs)) {
-    return false;
+    // return false;
   }
 
   // Check for invalid algorithms, and filter out |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.