Hey, > I would rather see ssl_certificates to be used this way, something > like: > > ssl_certificate rsa.crt; > ssl_certificate_key rsa.key; > > ssl_certificate ecc.crt; > ssl_certificate_key ecc.key;
Yeah, I'm in favor of that syntax as well. > AFAIR, OpenSSL only able to store one certificate chain per > SSL_CTX, which is the root cause of the problem. That's solved in OpenSSL-1.0.2 (unreleased). For now, the one thing we could do is to let OpenSSL build certificate chains from the trusted certificates store... In order to do that, all we need to do is to load only the first certificate in the file (i.e. don't load intermediate certificates) in case there are multiple certificates defined. This way, OpenSSL will try to build the certificate chain automatically (unfortunately, it will do that on the fly for each connection, so it's a noticeable overhead). Optimized version of that could compare intermediates from all the files and only do that in case they differ. Best regards, Piotr Sikora _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
