[PATCH] RSA+DSA+ECC bundles

Rob Stradling rob.stradling at comodo.com
Thu Oct 17 14:09:42 UTC 2013


On 06/02/13 17:24, Primoz Bratanic wrote:
> Hi,
>
> Apache supports specifying multiple certificates (different types) for same
> host in line with OpenSSL support (RSA, DSA, ECC). This allows using ECC key
> exchange methods with clients that support it and it's backwards compatible.
> I wonder how  much work would it be to add support for this to nginx. Is it
> just allowing specifying 2-3 certificates (and checking they have different
> key type) + adding support for returning proper key chain or are the any
> other obvious roadblocks (that are not obvious to me).

Here's a first stab at a patch.  I hope this is a useful starting point 
for getting this feature added to Nginx.

To specify an RSA cert plus an ECC cert, use...
   ssl_certificate  my_rsa.crt my_ecc.crt;
   ssl_certificate_key  my_rsa.key my_ecc.key;
   ssl_prefer_server_ciphers  on;
Also, configure ssl_ciphers to prefer at least 1 ECDSA cipher and permit 
at least 1 RSA cipher.

I think DSA certs should work too, but I've not tested this.


Issues I'm aware of with this patch:

   - It doesn't check that each of the certs has a different key type 
(but perhaps it should).  If you specify multiple certs with the same 
algorithm, all but the last one will be ignored.

   - The certs and keys need to be specified in the correct order.  If 
you specify "my_rsa.crt my_ecc.crt" and "my_ecc.key my_rsa.key", Nginx 
will start but it won't be able to complete any SSL handshakes.  This 
could be improved.

   - It doesn't add the new feature to mail_ssl_module.  Perhaps it should.

   - The changes I made to ngx_conf_set_str_array_slot() work for me, 
but do they break anything?

   - An RSA cert and an ECC cert might well be issued by different CAs. 
  On Apache httpd, you have to use SSLCACertificatePath to persuade 
OpenSSL to send different Intermediate certs for each one.
Nginx doesn't currently have an equivalent directive, and Maxim has 
previously said it's unlikely to be added [1].
I haven't researched this properly yet, but I think it might be possible 
to do "certificate path" in memory (i.e. without syscalls and disk 
access on each certificate check) using the OpenSSL X509_LOOKUP API.

   - I expect Maxim will have other comments.  :-)


[1] http://forum.nginx.org/read.php?2,229129,229151

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx_multiple_certs.patch
Type: text/x-patch
Size: 11873 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131017/8c0b3a73/attachment.bin>


More information about the nginx-devel mailing list