Multiple certificate support revisited
F. DA SILVA
fdasilvayy at gmail.com
Sat May 14 22:20:36 UTC 2016
Hi, Brandon.
Shorten (by myself) answer from nginx guys , i received at beginning of May:
"...(this) is work in process already, ... hope it will be finished in May."
Regards,
FDS
>> Le 14 mai 2016 à 17:22, Brandon Black <bblack at wikimedia.org> a écrit :
>>
>> On Tue, Aug 18, 2015 at 2:31 PM, Brandon Black <bblack at wikimedia.org> wrote:
>> Hi all,
>>
>> The Wikimedia Foundation has been running nginx-1.9.3 patched for
>> multi-certificate support for all production TLS traffic for a few
>> weeks now without incident, for all inbound requests to Wikipedia and
>> other associated projects of the Foundation.
>
> [... http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007225.html
> for full text]
>
> Bump!
>
> We're still running these patches for all Wikimedia sites (including
> Wikipedia) to serve dual ECDSA+RSA certificates. There was some
> feedback from some of the original author(s) privately back at the
> time of my last post on this in Aug 2015, but no real progress on
> making newer/better patches and no upstream feedback from nginx.org
> AFAIK so far.
>
> We had stalled out on nginx version updates at Wikimedia for a while.
> We stalled at 1.9.4 for months due to the SPDY-v-HTTP2 switch and
> real-world client support stats, etc. Eventually the stats on the
> switch got better as we approached the May 15 Chrome SPDY cutoff (
> https://phabricator.wikimedia.org/T96848#2251633 ). On May 4th, we
> made the switch to nginx-1.10.0 with HTTP/2 support in place of SPDY,
> and thus we've now also published updated dual-cert patches.
>
> So for anyone who's still pulling in these patches manually, the
> correct diffs against 1.10.0 are now available as the 100x series at:
> https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.10.0-1/debian/patches
> .
>
> These patches have been working fine for us functionally on a very
> large traffic site with a very broad mix of client UAs, with external
> OCSP Stapling files, for several months. I'd still like to get a
> conversation going on how we can get this support merged into upstream
> nginx, perhaps during 1.11.x? What is this patch series missing in
> terms of feature support, code quality, etc, to get into a mergeable
> state?
>
> Thanks,
> -- Brandon Black
> Sr Operations Engineer
> Wikimedia Foundation
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
More information about the nginx-devel
mailing list