Multiple Cert support ...
Maxim Dounin
mdounin at mdounin.ru
Tue Apr 14 17:46:47 UTC 2015
Hello!
On Tue, Apr 14, 2015 at 05:11:17PM +0000, Filipe DA SILVA wrote:
[...]
> >But we don't need to support multiple certs with versions before
> >OpenSSL 1.0.2. Just an appropriate error if user tries to
> >configure this would be enough.
> >
> >(Just in case, there are two basic problems in older versions:
> > no way to specify a chain for each certificate,
>
> AFAIK, it's still not possible to separate its.
> Internally, the code is rebuilding a trust chain on each verification .
> See it when I wrote and debug a patch about client-verification using delegated CRL.
The question isn't about trust chains used during client
certificate verification, but about chains sent to a client during
the SSL handshake. In OpenSSL 1.0.2 there is an extra chain for
each algorithm-specific certificate:
*) Enhance SSL/TLS certificate chain handling to support different
chains for each certificate instead of one chain in the parent SSL_CTX.
[Steve Henson]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
this fixes a limiation in previous versions of OpenSSL.
[Steve Henson]
See this commits for details:
https://github.com/openssl/openssl/commit/f71c6e52f769af0d2d40ed7e1dcb4fff837837a0
https://github.com/openssl/openssl/commit/a4339ea3ba045b7da038148f0d48ce25f2996971
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list