On 31/10/13 20:58, Rob Stradling wrote:
On 24/10/13 01:26, Maxim Dounin wrote:
<snip> > As for multiple certs per se, I don't think it should be limited > to recent OpenSSL versions only. As far as I can tell, current > versions of OpenSSL will work just fine (well, mostly) as long as > both ECDSA and RSA certs use the same certificate chain. I > believe at least some CAs issue ECDSA certs this way, and this > should work. > > Limiting support for multiple certs with separate certificate > chains to only recent OpenSSL versions seems reasonable for me, > but if Rob wants to try to make it work with older versions - I > don't really object. If it won't be too hacky it might worth > supporting.
Updated patch attached. This implements multiple certs and makes OCSP Stapling work correctly with them. It works with all of the active OpenSSL branches (including 0_9_8).
That patch caused problems with ssl_stapling_file. Fixed in the attached V2 patch.
I'm afraid it's a much larger patch than I anticipated it would be when I started working on it!
Maxim, does this patch look commit-able?