Multiple Cert support ...
Filipe DA SILVA
fdasilva at ingima.com
Tue Apr 14 17:11:17 UTC 2015
Hi,
>De : nginx-devel-bounces at nginx.org [nginx-devel-bounces at nginx.org] de la part de Maxim Dounin ...
>Date d'envoi : lundi 13 avril 2015 13:46
>À : nginx-devel at nginx.org
>Objet : Re: Multiple Cert support ...
>
>Hello!
>
>On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote:
>> Hi Maxim.
>>
>> Thanks for the return.
>>
>> I bet you are talking about this API:
>> https://github.com/openssl/openssl/commit/0f78819c8ccb7c526edbe90d5b619281366ce75c
>
>Yes.
>
>> Should the compatibility with old OpenSSL versions before 1.0.2 remain ?
>
>For sure - we currently support OpenSSL 0.9.7 and newer.
>
>But we don't need to support multiple certs with versions before
>OpenSSL 1.0.2. Just an appropriate error if user tries to
>configure this would be enough.
>
>(Just in case, there are two basic problems in older versions:
> no way to specify a chain for each certificate,
AFAIK, it's still not possible to separate its.
Internally, the code is rebuilding a trust chain on each verification .
See it when I wrote and debug a patch about client-verification using delegated CRL.
> and no way to find
>out the certificate used for a connection as needed for OCSP
>stapling).
This point was fixed by the commit mentioned previously.
>> A good solution would be to keep directly a list of OCSP_CERTID
>> in the stapling context.
>> Instead of keeping reference to cert/issuer certificates.
>
>I think we should attach stapling details to certificates.
>
Great idea ! Using X509_set_ex_data/X509_get_ex_data greatly simply the code.
Work is in progress.
Regards,
Filipe da Silva
More information about the nginx-devel
mailing list