I think we can add a new section called 'ssl'

Maxim Dounin mdounin at mdounin.ru
Mon Jun 6 10:29:41 UTC 2016


Hello!

On Mon, Jun 06, 2016 at 09:08:08AM +0800, 四弦 wrote:

> Hello,
> When the nginx-1.11.0 released,'ssl_certficate' and 'ssl_certificate_key'
> options can be use several times to load different kinds of
> certificates.But,if you use the module 'nginx-ct' to enable 'Certificate
> Transperancy' policy(the module allow you to submit your certificate to
> 'Certificate Transperancy Logs' server and get the 'SCT' which can be used
> to sent to browser to enable 'Certificate Transperancy'.And it added two
> options:'ssl_ct on/off;' and 'ssl_ct_static_scts
> /path/to/sct/directory;')So,if you use ECDSA and RSA dual-certificates,you
> can only put SCT of each other in a directory.In chrome 50,you will see '1
> vaild SCT,1 invaild SCT',and in some lower version chrome,you click the
> 'Lock' on the left of the address bar,it will display a red 'Lock' with a
> '×' in the pop-up menu,although the text beside is 'The server provides a
> valid certificate, and provide a valid Certificate Transperancy
> information'.
> And it also says:'Your connection is not private connection.'
> 
> So,why don't we add a section called 'ssl'?It can allow us to have some
> different settings according to the type of certificates.Likes follow:
> ssl{
> 
> ssl_certificate ...;
> 
> ssl_certificate_key ...;
> 
> ssl_ct on;
> 
> ssl_ct_static_sct /path/to/ecc/sct;
> 
> }
> ssl{
> 
> ssl_certificate ...;
> ssl_certificate_key ...;
> ssl_ct on;
> ssl_ct_static_sct /path/to/rsa/sct;
> 
> }
> How do you think of my advice?

Rather, I would think about somehow selecting different server{} 
blocks based on SSL options (e.g., ciphers supported by a client).

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list