[PATCH] RSA+DSA+ECC bundles
mdounin at mdounin.ru
Fri Nov 1 10:46:17 UTC 2013
On Thu, Oct 31, 2013 at 08:58:31PM +0000, Rob Stradling wrote:
> On 24/10/13 01:26, Maxim Dounin wrote:
> >As for multiple certs per se, I don't think it should be limited
> >to recent OpenSSL versions only. As far as I can tell, current
> >versions of OpenSSL will work just fine (well, mostly) as long as
> >both ECDSA and RSA certs use the same certificate chain. I
> >believe at least some CAs issue ECDSA certs this way, and this
> >should work.
> >Limiting support for multiple certs with separate certificate
> >chains to only recent OpenSSL versions seems reasonable for me,
> >but if Rob wants to try to make it work with older versions - I
> >don't really object. If it won't be too hacky it might worth
> Updated patch attached. This implements multiple certs and makes
> OCSP Stapling work correctly with them. It works with all of the
> active OpenSSL branches (including 0_9_8).
> I'm afraid it's a much larger patch than I anticipated it would be
> when I started working on it!
> Maxim, does this patch look commit-able?
It looks like it needs to be broken down into a patch series to
be at least reviewable.
I haven't looked into details yet, but I tend to dislike at least
changing the ngx_ssl_certificate() function into a monster which
configures everything. Preserving a separate call to configure
stapling would be much better.
Checks for extra ceritifcate chains with unsupported OpenSSL
versions looks a bit too extensive. I would think of just
dropping them completely.
More information about the nginx-devel