Support for ssl_certificate_dir ?
Kunal Pariani
kpariani at zimbra.com
Mon Oct 13 21:17:04 UTC 2014
Thank you.
-Kunal
----- Original Message -----
From: "Maxim Dounin" <mdounin at mdounin.ru>
To: "nginx-devel" <nginx-devel at nginx.org>
Sent: Monday, October 13, 2014 1:17:26 PM
Subject: Re: Support for ssl_certificate_dir ?
Hello!
On Mon, Oct 13, 2014 at 12:41:20PM -0700, Kunal Pariani wrote:
> 444 on this one too ?
>
> Thanks
> -Kunal
>
> On Wed, Oct 8, 2014 at 2:31 PM, Kunal Pariani <kpariani at zimbra.com> wrote:
>
> > Hello,
> > Currently nginx doesn't have the capability to define the directory
> > containing all the ssl certificates. This requires all the chained
> > certificates need to be munched together in the right order in a single
> > file and specified using the ssl_certificate directive (
> > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate).
> > Any plans of adding the option for of having a 'ssl_certicate_dir' maybe
> > which would have the path where all the cert files reside ? Also the
> > ordering of the certs will be done by the proxy itself instead of being
> > done manually ?
Short answer: no plans.
Long answer:
The ssl_trusted_certificate directive can be used to specify a PEM
file with certs to be loaded into a certificate store. These
certs will be used by OpenSSL to complete the certificate chain
automatically.
This OpenSSL behaviour is believed to cause more harm than good
though, because a) it can add unneed certs to the chain in many
cases, and b) the chain is built on runtime, and hence consumes
CPU.
And there are no plans to add support of directories to
ssl_trusted_certificate, as well to other similar directives.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
More information about the nginx-devel
mailing list