[PATCH] RSA+DSA+ECC bundles
Rob Stradling
rob.stradling at comodo.com
Thu Oct 31 21:58:01 UTC 2013
On 31/10/13 20:58, Rob Stradling wrote:
> On 24/10/13 01:26, Maxim Dounin wrote:
> <snip>
>> As for multiple certs per se, I don't think it should be limited
>> to recent OpenSSL versions only. As far as I can tell, current
>> versions of OpenSSL will work just fine (well, mostly) as long as
>> both ECDSA and RSA certs use the same certificate chain. I
>> believe at least some CAs issue ECDSA certs this way, and this
>> should work.
>>
>> Limiting support for multiple certs with separate certificate
>> chains to only recent OpenSSL versions seems reasonable for me,
>> but if Rob wants to try to make it work with older versions - I
>> don't really object. If it won't be too hacky it might worth
>> supporting.
>
> Updated patch attached. This implements multiple certs and makes OCSP
> Stapling work correctly with them. It works with all of the active
> OpenSSL branches (including 0_9_8).
That patch caused problems with ssl_stapling_file. Fixed in the
attached V2 patch.
> I'm afraid it's a much larger patch than I anticipated it would be when
> I started working on it!
>
> Maxim, does this patch look commit-able?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx_multiple_certs_and_stapling_V2.patch
Type: text/x-patch
Size: 56213 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131031/e87886a1/attachment-0001.bin>
More information about the nginx-devel
mailing list