Load SSL certificates from system's store

Maxim Dounin mdounin at mdounin.ru
Wed Sep 23 18:58:39 UTC 2015


Hello!

On Wed, Sep 23, 2015 at 10:58:19AM -0700, Michal Cichra wrote:

> Hi there,
> 
> There is very basic patch to nginx (which is the same with 1.9.5) to allow loading all SSL certificates from CApath.
> 
> When doing proxy with ssl verification, nginx needs ssl certificates to be loaded through file.
> That causes trouble for dynamic proxies, that can proxy to any host. Workaround would be pack all certificates from CApath and load them to nginx.
> However, that is not very cross platform as on OSX it can use keychain.
> I understand there are some drawbacks (like memory usage), so I’d make it configurable with off by default.
> 
> See the gist https://gist.github.com/mikz/4dae10a0ef94de7c8139
> and discussion on openresty mailing list: https://groups.google.com/forum/#!searchin/openresty-en/ssl/openresty-en/SuqORBK9ys0/Yz0ypcRyV4UJ

I don't see anything changed since my previous response to your 
proposal:

http://mailman.nginx.org/pipermail/nginx/2014-September/045068.html

If you want things to actually happen you may want to go ahead and 
start working on a real patch.

(Just a side note: talking about OS X doesn't really make sense, 
as it's not a server platform.)

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list