Fwd: Re: [PATCH] RSA+DSA+ECC bundles

shmick at riseup.net shmick at riseup.net
Sat Sep 20 15:41:13 UTC 2014


unfortunately this was as far as i got with version git

$ patch -p0 < nginx_multiple_certs_and_stapling_V2.patch
patching file a/src/event/ngx_event_openssl.c
Hunk #1 succeeded at 96 with fuzz 2 (offset 12 lines).
Hunk #2 succeeded at 162 (offset 14 lines).
Hunk #3 FAILED at 191.
Hunk #4 FAILED at 236.
2 out of 4 hunks FAILED -- saving rejects to file
a/src/event/ngx_event_openssl.c.rej
patching file a/src/event/ngx_event_openssl.h
Hunk #1 FAILED at 104.
Hunk #2 succeeded at 203 (offset 22 lines).
1 out of 2 hunks FAILED -- saving rejects to file
a/src/event/ngx_event_openssl.h.rej
patching file a/src/event/ngx_event_openssl_stapling.c
Hunk #1 FAILED at 11.
Hunk #12 succeeded at 1793 (offset 13 lines).
1 out of 12 hunks FAILED -- saving rejects to file
a/src/event/ngx_event_openssl_stapling.c.rej
patching file a/src/http/modules/ngx_http_ssl_module.c
Hunk #1 FAILED at 66.
Hunk #2 succeeded at 209 (offset 31 lines).
Hunk #3 FAILED at 404.
Hunk #4 FAILED at 463.
Hunk #5 FAILED at 550.
Hunk #6 succeeded at 702 (offset 110 lines).
Hunk #7 succeeded at 762 (offset 118 lines).
4 out of 7 hunks FAILED -- saving rejects to file
a/src/http/modules/ngx_http_ssl_module.c.rej
patching file a/src/http/modules/ngx_http_ssl_module.h
Hunk #1 FAILED at 25.
1 out of 1 hunk FAILED -- saving rejects to file
a/src/http/modules/ngx_http_ssl_module.h.rej
patching file a/src/mail/ngx_mail_ssl_module.c
Hunk #1 FAILED at 57.
Hunk #2 FAILED at 173.
Hunk #3 FAILED at 215.
Hunk #4 FAILED at 243.
4 out of 4 hunks FAILED -- saving rejects to file
a/src/mail/ngx_mail_ssl_module.c.rej
patching file a/src/mail/ngx_mail_ssl_module.h
Hunk #1 FAILED at 27.
1 out of 1 hunk FAILED -- saving rejects to file
a/src/mail/ngx_mail_ssl_module.h.rej


and this was as far as i got with version 1.6.2 just renaming dirs

beyond that its all greek to me ...


$ patch -p0 < nginx_multiple_certs_and_stapling_V2.patch
patching file nginx-1.6.2/src/event/ngx_event_openssl.c
Hunk #1 succeeded at 86 with fuzz 2 (offset 2 lines).
Hunk #2 succeeded at 150 (offset 2 lines).
Hunk #3 FAILED at 191.
Hunk #4 succeeded at 240 (offset 4 lines).
1 out of 4 hunks FAILED -- saving rejects to file
nginx-1.6.2/src/event/ngx_event_openssl.c.rej
patching file nginx-1.6.2/src/event/ngx_event_openssl.h
Hunk #1 succeeded at 108 (offset 4 lines).
Hunk #2 succeeded at 191 (offset 6 lines).
patching file nginx-1.6.2/src/event/ngx_event_openssl_stapling.c
Hunk #1 FAILED at 11.
Hunk #12 succeeded at 1791 (offset 11 lines).
1 out of 12 hunks FAILED -- saving rejects to file
nginx-1.6.2/src/event/ngx_event_openssl_stapling.c.rej
patching file nginx-1.6.2/src/http/modules/ngx_http_ssl_module.c
Hunk #1 succeeded at 74 (offset 8 lines).
Hunk #2 succeeded at 200 (offset 22 lines).
Hunk #3 FAILED at 404.
Hunk #4 FAILED at 463.
Hunk #5 succeeded at 640 (offset 90 lines).
Hunk #6 succeeded at 677 (offset 92 lines).
Hunk #7 succeeded at 737 (offset 100 lines).
2 out of 7 hunks FAILED -- saving rejects to file
nginx-1.6.2/src/http/modules/ngx_http_ssl_module.c.rej
patching file nginx-1.6.2/src/http/modules/ngx_http_ssl_module.h
Hunk #1 FAILED at 25.
1 out of 1 hunk FAILED -- saving rejects to file
nginx-1.6.2/src/http/modules/ngx_http_ssl_module.h.rej
patching file nginx-1.6.2/src/mail/ngx_mail_ssl_module.c
Hunk #2 FAILED at 173.
Hunk #3 succeeded at 223 (offset 8 lines).
Hunk #4 succeeded at 253 (offset 8 lines).
1 out of 4 hunks FAILED -- saving rejects to file
nginx-1.6.2/src/mail/ngx_mail_ssl_module.c.rej
patching file nginx-1.6.2/src/mail/ngx_mail_ssl_module.h
Hunk #1 succeeded at 27 with fuzz 1.



Rob Stradling wrote:
> On 19/09/14 15:37, shmick at riseup.net wrote:
>> many thanks for that rob
>>
>> this in addition to an already successful boring ssl patch could be
>> quite exciting if it works !
> 
> :-)
> 
>> cheers
>>
>> Rob Stradling wrote:
>>> Patch attached.
>>>
>>> -------- Forwarded Message --------
>>> Subject: Re: [PATCH] RSA+DSA+ECC bundles
>>> Date: Thu, 31 Oct 2013 21:58:01 +0000
>>> From: Rob Stradling <rob.stradling at comodo.com>
>>> Reply-To: nginx-devel at nginx.org
>>> To: nginx-devel at nginx.org
>>>
>>> On 31/10/13 20:58, Rob Stradling wrote:
>>>> On 24/10/13 01:26, Maxim Dounin wrote:
>>>> <snip>
>>>>> As for multiple certs per se, I don't think it should be limited
>>>>> to recent OpenSSL versions only.  As far as I can tell, current
>>>>> versions of OpenSSL will work just fine (well, mostly) as long as
>>>>> both ECDSA and RSA certs use the same certificate chain.  I
>>>>> believe at least some CAs issue ECDSA certs this way, and this
>>>>> should work.
>>>>>
>>>>> Limiting support for multiple certs with separate certificate
>>>>> chains to only recent OpenSSL versions seems reasonable for me,
>>>>> but if Rob wants to try to make it work with older versions - I
>>>>> don't really object.  If it won't be too hacky it might worth
>>>>> supporting.
>>>>
>>>> Updated patch attached.  This implements multiple certs and makes OCSP
>>>> Stapling work correctly with them.  It works with all of the active
>>>> OpenSSL branches (including 0_9_8).
>>>
>>> That patch caused problems with ssl_stapling_file.  Fixed in the
>>> attached V2 patch.
>>>
>>>> I'm afraid it's a much larger patch than I anticipated it would be when
>>>> I started working on it!
>>>>
>>>> Maxim, does this patch look commit-able?
>>>
>>
> 



More information about the nginx mailing list