Multiple Cert support ( Was: RE : [PATCH 1 of 6] SSL: refactoring of ngx_ssl_certificate method. )
mdounin at mdounin.ru
Mon Apr 13 11:46:11 UTC 2015
On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote:
> Hi Maxim.
> Thanks for the return.
> I bet you are talking about this API:
> Should the compatibility with old OpenSSL versions before 1.0.2 remain ?
For sure - we currently support OpenSSL 0.9.7 and newer.
But we don't need to support multiple certs with versions before
OpenSSL 1.0.2. Just an appropriate error if user tries to
configure this would be enough.
(Just in case, there are two basic problems in older versions: no
way to specify a chain for each certificate, and no way to find
out the certificate used for a connection as needed for OCSP
> A good solution would be to keep directly a list of OCSP_CERTID
> in the stapling context.
> Instead of keeping reference to cert/issuer certificates.
I think we should attach stapling details to certificates.
More information about the nginx-devel