Multiple certificate support revisited

F. DA SILVA fdasilvayy at
Sat May 14 22:20:36 UTC 2016

Hi, Brandon.

Shorten (by myself) answer from nginx guys , i received at beginning of May: 
"...(this) is work in process already, ... hope it will be finished in May." 


>> Le 14 mai 2016 à 17:22, Brandon Black <bblack at> a écrit :
>> On Tue, Aug 18, 2015 at 2:31 PM, Brandon Black <bblack at> wrote:
>> Hi all,
>> The Wikimedia Foundation has been running nginx-1.9.3 patched for
>> multi-certificate support for all production TLS traffic for a few
>> weeks now without incident, for all inbound requests to Wikipedia and
>> other associated projects of the Foundation.
> [...
> for full text]
> Bump!
> We're still running these patches for all Wikimedia sites (including
> Wikipedia) to serve dual ECDSA+RSA certificates.  There was some
> feedback from some of the original author(s) privately back at the
> time of my last post on this in Aug 2015, but no real progress on
> making newer/better patches and no upstream feedback from
> AFAIK so far.
> We had stalled out on nginx version updates at Wikimedia for a while.
> We stalled at 1.9.4 for months due to the SPDY-v-HTTP2 switch and
> real-world client support stats, etc.  Eventually the stats on the
> switch got better as we approached the May 15 Chrome SPDY cutoff (
> ).  On May 4th, we
> made the switch to nginx-1.10.0 with HTTP/2 support in place of SPDY,
> and thus we've now also published updated dual-cert patches.
> So for anyone who's still pulling in these patches manually, the
> correct diffs against 1.10.0 are now available as the 100x series at:
> .
> These patches have been working fine for us functionally on a very
> large traffic site with a very broad mix of client UAs, with external
> OCSP Stapling files, for several months.  I'd still like to get a
> conversation going on how we can get this support merged into upstream
> nginx, perhaps during 1.11.x?  What is this patch series missing in
> terms of feature support, code quality, etc, to get into a mergeable
> state?
> Thanks,
> -- Brandon Black
> Sr Operations Engineer
> Wikimedia Foundation
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at

More information about the nginx-devel mailing list