Multiple Cert support ( Was: RE : [PATCH 1 of 6] SSL: refactoring of ngx_ssl_certificate method. )

Maxim Dounin mdounin at mdounin.ru
Mon Apr 13 11:46:11 UTC 2015


Hello!

On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote:

> Hi Maxim.
> 
> Thanks for the return.
> 
> I bet you are talking about this API: 
> https://github.com/openssl/openssl/commit/0f78819c8ccb7c526edbe90d5b619281366ce75c

Yes.

> Should the compatibility with old OpenSSL versions before 1.0.2 remain ? 

For sure - we currently support OpenSSL 0.9.7 and newer.

But we don't need to support multiple certs with versions before 
OpenSSL 1.0.2.  Just an appropriate error if user tries to 
configure this would be enough.

(Just in case, there are two basic problems in older versions: no 
way to specify a chain for each certificate, and no way to find 
out the certificate used for a connection as needed for OCSP 
stapling).

> A good solution would be to keep directly a list of OCSP_CERTID 
> in the stapling context.
> Instead of keeping reference to cert/issuer certificates.

I think we should attach stapling details to certificates.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list