Multiple Cert support ( Was: RE : [PATCH 1 of 6] SSL: refactoring of ngx_ssl_certificate method. )

Maxim Dounin mdounin at
Mon Apr 13 11:46:11 UTC 2015


On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote:

> Hi Maxim.
> Thanks for the return.
> I bet you are talking about this API: 


> Should the compatibility with old OpenSSL versions before 1.0.2 remain ? 

For sure - we currently support OpenSSL 0.9.7 and newer.

But we don't need to support multiple certs with versions before 
OpenSSL 1.0.2.  Just an appropriate error if user tries to 
configure this would be enough.

(Just in case, there are two basic problems in older versions: no 
way to specify a chain for each certificate, and no way to find 
out the certificate used for a connection as needed for OCSP 

> A good solution would be to keep directly a list of OCSP_CERTID 
> in the stapling context.
> Instead of keeping reference to cert/issuer certificates.

I think we should attach stapling details to certificates.

Maxim Dounin

More information about the nginx-devel mailing list