"A" Grade SSL/TLS with Nginx and StartSSL

Rob Stradling rob.stradling at comodo.com
Thu Oct 17 14:05:14 UTC 2013

On 15/10/13 23:00, Piotr Sikora wrote:
>> Because someone else might use DSA certificates.
> It's ECDSA, not DSA... And I'm yet to see a site that offers ECDSA
> instead of RSA certificate.

There are some sites that offer an ECDSA cert where possible, but 
fallback to an RSA cert when the client doesn't offer any ECDSA ciphers. 
  AFAIK, Apache httpd is the only major webserver that can currently be 
configured this way.
I expect to see this configuration become more common in the (near?) 
future, given that some commercial CAs are now actively selling ECDSA certs.

Nginx currently only allows one cert to be configured, and I too am yet 
to see a site that offers _only_ an ECDSA cert.  I expect this is due to 
the large proportion (I estimate ~20%) of clients that support RSA certs 
but not ECDSA certs.

I'd love to see the ECDSA cert + RSA cert feature implemented in Nginx 
too.  OpenSSL does most of the hard work already.  I've written a PoC 
patch, but I'll post it to a different thread.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the nginx mailing list