[PATCH] RSA+DSA+ECC bundles

Maxim Dounin mdounin at mdounin.ru
Fri Nov 1 10:46:17 UTC 2013


Hello!

On Thu, Oct 31, 2013 at 08:58:31PM +0000, Rob Stradling wrote:

> On 24/10/13 01:26, Maxim Dounin wrote:
> <snip>
> >As for multiple certs per se, I don't think it should be limited
> >to recent OpenSSL versions only.  As far as I can tell, current
> >versions of OpenSSL will work just fine (well, mostly) as long as
> >both ECDSA and RSA certs use the same certificate chain.  I
> >believe at least some CAs issue ECDSA certs this way, and this
> >should work.
> >
> >Limiting support for multiple certs with separate certificate
> >chains to only recent OpenSSL versions seems reasonable for me,
> >but if Rob wants to try to make it work with older versions - I
> >don't really object.  If it won't be too hacky it might worth
> >supporting.
> 
> Updated patch attached.  This implements multiple certs and makes
> OCSP Stapling work correctly with them.  It works with all of the
> active OpenSSL branches (including 0_9_8).
> 
> I'm afraid it's a much larger patch than I anticipated it would be
> when I started working on it!
> 
> Maxim, does this patch look commit-able?

It looks like it needs to be broken down into a patch series to 
be at least reviewable.

I haven't looked into details yet, but I tend to dislike at least 
changing the ngx_ssl_certificate() function into a monster which 
configures everything.  Preserving a separate call to configure 
stapling would be much better.

Checks for extra ceritifcate chains with unsupported OpenSSL 
versions looks a bit too extensive.  I would think of just 
dropping them completely.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list