[PATCH] RSA+DSA+ECC bundles
Piotr Sikora
piotr at cloudflare.com
Wed Oct 23 21:48:38 UTC 2013
Hey,
> Just drop the backwards-compatibility and require OpenSSL 1.0.2 or
> later for that feature, just like a particular version of OpenSSL is
> needed for TLS-SNI.
I kind of agree with that.
While OpenSSL-1.0.2 is still unreleased, it seems that all options for
existing releases are a bit hacky, to say at least... The trusted
certificate store sounds like the only way to do it right now, but it
effectively makes SSL client verification useless and creates a
security issue.
What do you think, Maxim?
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list