I think we can add a new section called 'ssl'

四弦 odyssey471 at gmail.com
Mon Jun 6 01:08:08 UTC 2016

When the nginx-1.11.0 released,'ssl_certficate' and 'ssl_certificate_key'
options can be use several times to load different kinds of
certificates.But,if you use the module 'nginx-ct' to enable 'Certificate
Transperancy' policy(the module allow you to submit your certificate to
'Certificate Transperancy Logs' server and get the 'SCT' which can be used
to sent to browser to enable 'Certificate Transperancy'.And it added two
options:'ssl_ct on/off;' and 'ssl_ct_static_scts
/path/to/sct/directory;')So,if you use ECDSA and RSA dual-certificates,you
can only put SCT of each other in a directory.In chrome 50,you will see '1
vaild SCT,1 invaild SCT',and in some lower version chrome,you click the
'Lock' on the left of the address bar,it will display a red 'Lock' with a
'×' in the pop-up menu,although the text beside is 'The server provides a
valid certificate, and provide a valid Certificate Transperancy
And it also says:'Your connection is not private connection.'

So,why don't we add a section called 'ssl'?It can allow us to have some
different settings according to the type of certificates.Likes follow:

ssl_certificate ...;

ssl_certificate_key ...;

ssl_ct on;

ssl_ct_static_sct /path/to/ecc/sct;


ssl_certificate ...;
ssl_certificate_key ...;
ssl_ct on;
ssl_ct_static_sct /path/to/rsa/sct;

How do you think of my advice?
Thank you.
P.S:My mother tongue is not English,so if there are some grammar errors in
my e-mail,please forgive,thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160606/103fa45a/attachment.html>

More information about the nginx mailing list