Multiple certificate support revisited

[Brandon Black]

On Tue, Aug 18, 2015 at 2:31 PM, Brandon Black <bblack at wikimedia.org> wrote:
> Hi all,
>
> The Wikimedia Foundation has been running nginx-1.9.3 patched for
> multi-certificate support for all production TLS traffic for a few
> weeks now without incident, for all inbound requests to Wikipedia and
> other associated projects of the Foundation.

[... http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007225.html
for full text]

Bump!

We're still running these patches for all Wikimedia sites (including
Wikipedia) to serve dual ECDSA+RSA certificates.  There was some
feedback from some of the original author(s) privately back at the
time of my last post on this in Aug 2015, but no real progress on
making newer/better patches and no upstream feedback from nginx.org
AFAIK so far.

We had stalled out on nginx version updates at Wikimedia for a while.
We stalled at 1.9.4 for months due to the SPDY-v-HTTP2 switch and
real-world client support stats, etc.  Eventually the stats on the
switch got better as we approached the May 15 Chrome SPDY cutoff (
https://phabricator.wikimedia.org/T96848#2251633 ).  On May 4th, we
made the switch to nginx-1.10.0 with HTTP/2 support in place of SPDY,
and thus we've now also published updated dual-cert patches.

So for anyone who's still pulling in these patches manually, the
correct diffs against 1.10.0 are now available as the 100x series at:
https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.10.0-1/debian/patches
.

These patches have been working fine for us functionally on a very
large traffic site with a very broad mix of client UAs, with external
OCSP Stapling files, for several months.  I'd still like to get a
conversation going on how we can get this support merged into upstream
nginx, perhaps during 1.11.x?  What is this patch series missing in
terms of feature support, code quality, etc, to get into a mergeable
state?

Thanks,
-- Brandon Black
Sr Operations Engineer
Wikimedia Foundation