Status of dual certificate support

Albert Casademont albertcasademont at gmail.com
Sun Feb 21 21:08:35 UTC 2016


It would be great if these patches were merged upstream!

On Sunday, 21 February 2016, ToSHiC <toshic.toshic at gmail.com> wrote:

> Hello,
>
> We are using patches from here:
> https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.9.2-1/debian/patches
> in production since 20th of December 2015.
>
> We've made 2 certificates: EC+SHA2 signature for new browsers and RSA+SHA1
> signature for old ones. We assume that all browsers that supports EC certs
> does support SHA2 certs signature. Monitoring of bad SSL connections from
> nginx' error.log shows no additional errors so we think our assumption is
> correct. Certificate election mechanism is based on cipher suites from
> ClientHello and unfortunately there is no certificate signature type in
> cypher suite string.
>
> If you'll try to make the same configuration you need to force server
> cipher suites over clients, and carefully place ECDSA before RSA. To check
> if everything works fine use openssl s_client utility with -cipher options.
> RSA should be enabled only if ECDSA is not present in client ciphers.
>
> To monitor proper certificate usage in production we use ssl_cipher
> variable. Additioanlly we've added variable with currently used server
> certificate serial number, just to be sure. Our logs shows that in December
> ~20-25% of clients have used RSA certificate in our configuration.
>
> Please feel free to contact me if you have any questions.
>
> Regards,
> Anton Kortunov.
>
> On Sun, Feb 21, 2016 at 1:58 PM, Jonathan Horn <jonathan at autoit4you.de
> <javascript:_e(%7B%7D,'cvml','jonathan at autoit4you.de');>> wrote:
>
>> Hi all,
>>
>> I wanted to know what the current status is to get dual certificate
>> support into nginx.
>>
>> I saw that there have been some patches in March and April last year,
>> but with no indication why the final version in April hasn't been merged.
>>
>> Is there any work currently done on bringing this into nginx? Or is some
>> other feature development currently blocking this? Is there something
>> else that I can help with to get that support into nginx?
>>
>> Jonathan Horn
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> <javascript:_e(%7B%7D,'cvml','nginx-devel at nginx.org');>
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20160221/abd30a2e/attachment.html>


More information about the nginx-devel mailing list