[PATCH] RSA+DSA+ECC bundles

Piotr Sikora piotr at cloudflare.com
Wed Oct 23 21:48:38 UTC 2013


Hey,

> Just drop the backwards-compatibility and require OpenSSL 1.0.2 or
> later for that feature, just like a particular version of OpenSSL is
> needed for TLS-SNI.

I kind of agree with that.

While OpenSSL-1.0.2 is still unreleased, it seems that all options for
existing releases are a bit hacky, to say at least... The trusted
certificate store sounds like the only way to do it right now, but it
effectively makes SSL client verification useless and creates a
security issue.

What do you think, Maxim?

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list