[PATCH] RSA+DSA+ECC bundles

Rob Stradling rob.stradling at comodo.com
Thu Oct 31 20:58:31 UTC 2013


On 24/10/13 01:26, Maxim Dounin wrote:
<snip>
> As for multiple certs per se, I don't think it should be limited
> to recent OpenSSL versions only.  As far as I can tell, current
> versions of OpenSSL will work just fine (well, mostly) as long as
> both ECDSA and RSA certs use the same certificate chain.  I
> believe at least some CAs issue ECDSA certs this way, and this
> should work.
>
> Limiting support for multiple certs with separate certificate
> chains to only recent OpenSSL versions seems reasonable for me,
> but if Rob wants to try to make it work with older versions - I
> don't really object.  If it won't be too hacky it might worth
> supporting.

Updated patch attached.  This implements multiple certs and makes OCSP 
Stapling work correctly with them.  It works with all of the active 
OpenSSL branches (including 0_9_8).

I'm afraid it's a much larger patch than I anticipated it would be when 
I started working on it!

Maxim, does this patch look commit-able?

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx_multiple_certs_and_stapling.patch
Type: text/x-patch
Size: 56104 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131031/0cc1c543/attachment-0001.bin>


More information about the nginx-devel mailing list