[PATCH] RSA+DSA+ECC bundles

Piotr Sikora piotr at cloudflare.com
Thu Oct 17 22:00:56 UTC 2013


Hey,

> I would rather see ssl_certificates to be used this way, something
> like:
>
>     ssl_certificate      rsa.crt;
>     ssl_certificate_key  rsa.key;
>
>     ssl_certificate      ecc.crt;
>     ssl_certificate_key  ecc.key;

Yeah, I'm in favor of that syntax as well.

> AFAIR, OpenSSL only able to store one certificate chain per
> SSL_CTX, which is the root cause of the problem.

That's solved in OpenSSL-1.0.2 (unreleased).

For now, the one thing we could do is to let OpenSSL build certificate
chains from the trusted certificates store... In order to do that, all
we need to do is to load only the first certificate in the file (i.e.
don't load intermediate certificates) in case there are multiple
certificates defined. This way, OpenSSL will try to build the
certificate chain automatically (unfortunately, it will do that on the
fly for each connection, so it's a noticeable overhead).

Optimized version of that could compare intermediates from all the
files and only do that in case they differ.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list