I think we can add a new section called 'ssl'

四弦 odyssey471 at gmail.com
Mon Jun 6 13:20:09 UTC 2016


Hello,
That's a good idea.BoringSSL supports Equivalent encryption algorithm
group,likes follow:
[ECDHE_ECDSA_CHACHA20_POLY1305_SHA384|ECDHE_ECDSA_AES_128_GCM_SHA384]:...
Cipher suites which are included by [] are equivalent,when TLS
handshaking,the feature can choose the best cipher suites by clients'
platform.
But it is hard to complie nginx with boringssl,and it dosen't support OCSP
Stapling,that's too bad.
I think your idea will be interesting if it can be come true.


2016-06-06 18:29 GMT+08:00 Maxim Dounin <mdounin at mdounin.ru>:

> Hello!
>
> On Mon, Jun 06, 2016 at 09:08:08AM +0800, 四弦 wrote:
>
> > Hello,
> > When the nginx-1.11.0 released,'ssl_certficate' and 'ssl_certificate_key'
> > options can be use several times to load different kinds of
> > certificates.But,if you use the module 'nginx-ct' to enable 'Certificate
> > Transperancy' policy(the module allow you to submit your certificate to
> > 'Certificate Transperancy Logs' server and get the 'SCT' which can be
> used
> > to sent to browser to enable 'Certificate Transperancy'.And it added two
> > options:'ssl_ct on/off;' and 'ssl_ct_static_scts
> > /path/to/sct/directory;')So,if you use ECDSA and RSA
> dual-certificates,you
> > can only put SCT of each other in a directory.In chrome 50,you will see
> '1
> > vaild SCT,1 invaild SCT',and in some lower version chrome,you click the
> > 'Lock' on the left of the address bar,it will display a red 'Lock' with a
> > '×' in the pop-up menu,although the text beside is 'The server provides a
> > valid certificate, and provide a valid Certificate Transperancy
> > information'.
> > And it also says:'Your connection is not private connection.'
> >
> > So,why don't we add a section called 'ssl'?It can allow us to have some
> > different settings according to the type of certificates.Likes follow:
> > ssl{
> >
> > ssl_certificate ...;
> >
> > ssl_certificate_key ...;
> >
> > ssl_ct on;
> >
> > ssl_ct_static_sct /path/to/ecc/sct;
> >
> > }
> > ssl{
> >
> > ssl_certificate ...;
> > ssl_certificate_key ...;
> > ssl_ct on;
> > ssl_ct_static_sct /path/to/rsa/sct;
> >
> > }
> > How do you think of my advice?
>
> Rather, I would think about somehow selecting different server{}
> blocks based on SSL options (e.g., ciphers supported by a client).
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160606/38cc26ee/attachment.html>


More information about the nginx mailing list