On 14.10.13 10:51, Rob Stradling wrote: > Kaspar, I don't think data from 2010 (or even data from today) should be > assumed to be a reliable indicator of future use of non-RSA certs on > public sites.
"Past performance is not indicative of future performance", as they use to say in other industries, yes. Did the situation with Certicom's licensing terms for ECC cert issuance change recently? > AFAICT, interest (amongst the commercial CAs) in ECC certs continues to > grow. Since a significant proportion (I estimate ~20%) of deployed > clients will accept RSA server certs but not ECC server certs, I think > that configuring both an ECC cert and an RSA cert on a single vhost may > yet become popular! I'm not saying we should no longer support multiple certs per vhost (in fact, with my PoC patch, you can send as many certs to OpenSSL if you increase SSL_AIDX_MAX - though OpenSSL currently can't really cope with it)... what I'm saying is that I don't see a need for an additional per-cert directive. To support the "current cert" concept of OpenSSL for the SSL_CTX calls, we just need to make sure that we're applying the OpenSSLConfCmd directives (ServerInfoFile etc.) at the proper place. Kaspar