Multiple Cert support ...

Filipe DA SILVA fdasilva at
Tue Apr 14 17:11:17 UTC 2015


>De : nginx-devel-bounces at [nginx-devel-bounces at] de la part de Maxim Dounin ... 
>Date d'envoi : lundi 13 avril 2015 13:46
>À : nginx-devel at
>Objet : Re: Multiple Cert support ...
>On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote:
>> Hi Maxim.
>> Thanks for the return.
>> I bet you are talking about this API:
>> Should the compatibility with old OpenSSL versions before 1.0.2 remain ?
>For sure - we currently support OpenSSL 0.9.7 and newer.
>But we don't need to support multiple certs with versions before
>OpenSSL 1.0.2.  Just an appropriate error if user tries to
>configure this would be enough.
>(Just in case, there are two basic problems in older versions: 
> no way to specify a chain for each certificate, 

AFAIK, it's still not possible to separate its.
Internally, the code is rebuilding a trust chain on each verification .
See it when I wrote and debug a patch about client-verification using delegated CRL.

> and no way to find
>out the certificate used for a connection as needed for OCSP
This point was fixed by the commit mentioned previously.

>> A good solution would be to keep directly a list of OCSP_CERTID
>> in the stapling context.
>> Instead of keeping reference to cert/issuer certificates.
>I think we should attach stapling details to certificates.

Great idea ! Using X509_set_ex_data/X509_get_ex_data greatly simply the code.

Work is in progress.

Filipe da Silva

More information about the nginx-devel mailing list