Multiple certificate support revisited

Albert Casademont albertcasademont at gmail.com
Mon Aug 31 10:00:31 UTC 2015


Would be great to have this in the next nginx release, thanks Brandon!

On Tue, Aug 18, 2015 at 4:31 PM, Brandon Black <bblack at wikimedia.org> wrote:

> Hi all,
>
> The Wikimedia Foundation has been running nginx-1.9.3 patched for
> multi-certificate support for all production TLS traffic for a few
> weeks now without incident, for all inbound requests to Wikipedia and
> other associated projects of the Foundation.
>
> We initially used the older March variant of Filipe's patches  (
> http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006734.html
> ), and last week we switched to using the April 27 variant (
> http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006863.html
> ), which is the last known public variant I'm aware of.
>
> These were in turn based on kyprizel's patch (
> http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006668.html
> ), which was based on Rob's patch from nearly two years ago (
> http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html
> ).  It has a long and colorful history at this point :)
>
> We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1
> package.  Most of the porting was trivial (offsets / whitespace /
> etc).  There were a couple of slightly more substantial issues around
> the newer OCSP Stapling valid-timestamp checking, and the porting of
> the general multi-cert work to the newer stream modules.  The
> ported/updated variant of the patches we're running is available here
> in our repo:
>
>
> https://github.com/wikimedia/operations-software-nginx/blob/wmf-1.9.3-1/debian/patches/
>
> Our configuration uses a pair of otherwise-identical RSA and ECDSA
> keys and an external OCSP ssl_stapling_file (certs are from
> GlobalSign, chain/OCSP info is identical in the pair).  Our typical
> relevant config fragment in the server section looks like this:
>
> ------------
> ssl_certificate /etc/ssl/localcerts/ecc-uni.wikimedia.org.chained.crt;
> ssl_certificate_key /etc/ssl/private/ecc-uni.wikimedia.org.key;
> ssl_certificate /etc/ssl/localcerts/uni.wikimedia.org.chained.crt;
> ssl_certificate_key /etc/ssl/private/uni.wikimedia.org.key;
> ssl_stapling on;
> ssl_stapling_file /var/cache/ocsp/unified.ocsp;
> -------------
>
> Obviously, we'd rather get this work (or something similar) upstreamed
> so that we don't have to maintain local patches for this indefinitely,
> and so that everyone else can use it easily too.  I'm assuming the
> reason it wasn't merged in the past is there may be other issues
> blocking the merge that just weren't relevant to our particular
> configuration, or are just matters of cleanliness or implementation
> detail.
>
> I'd be happy to work with whoever on resolving that and getting this
> patchset into a merge-able state.  Does anyone know what the
> outstanding issues were/are?  Some of the past list traffic on this is
> a bit fragmented.
>
> Thanks,
> -- Brandon
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150831/919ea5db/attachment.html>


More information about the nginx-devel mailing list