Multiple Cert support ...

Filipe DA SILVA fdasilva at ingima.com
Tue Apr 14 17:11:17 UTC 2015


Hi,

>De : nginx-devel-bounces at nginx.org [nginx-devel-bounces at nginx.org] de la part de Maxim Dounin ... 
>Date d'envoi : lundi 13 avril 2015 13:46
>À : nginx-devel at nginx.org
>Objet : Re: Multiple Cert support ...
>
>Hello!
>
>On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote:
>> Hi Maxim.
>>
>> Thanks for the return.
>>
>> I bet you are talking about this API:
>> https://github.com/openssl/openssl/commit/0f78819c8ccb7c526edbe90d5b619281366ce75c
>
>Yes.
>
>> Should the compatibility with old OpenSSL versions before 1.0.2 remain ?
>
>For sure - we currently support OpenSSL 0.9.7 and newer.
>
>But we don't need to support multiple certs with versions before
>OpenSSL 1.0.2.  Just an appropriate error if user tries to
>configure this would be enough.
>
>(Just in case, there are two basic problems in older versions: 
> no way to specify a chain for each certificate, 

AFAIK, it's still not possible to separate its.
Internally, the code is rebuilding a trust chain on each verification .
See it when I wrote and debug a patch about client-verification using delegated CRL.

> and no way to find
>out the certificate used for a connection as needed for OCSP
>stapling).
 
This point was fixed by the commit mentioned previously.

>> A good solution would be to keep directly a list of OCSP_CERTID
>> in the stapling context.
>> Instead of keeping reference to cert/issuer certificates.
>
>I think we should attach stapling details to certificates.
>

Great idea ! Using X509_set_ex_data/X509_get_ex_data greatly simply the code.

Work is in progress.

Regards,
Filipe da Silva



More information about the nginx-devel mailing list