Hello! On Thu, Oct 31, 2013 at 08:58:31PM +0000, Rob Stradling wrote:
> On 24/10/13 01:26, Maxim Dounin wrote: > <snip> > >As for multiple certs per se, I don't think it should be limited > >to recent OpenSSL versions only. As far as I can tell, current > >versions of OpenSSL will work just fine (well, mostly) as long as > >both ECDSA and RSA certs use the same certificate chain. I > >believe at least some CAs issue ECDSA certs this way, and this > >should work. > > > >Limiting support for multiple certs with separate certificate > >chains to only recent OpenSSL versions seems reasonable for me, > >but if Rob wants to try to make it work with older versions - I > >don't really object. If it won't be too hacky it might worth > >supporting. > > Updated patch attached. This implements multiple certs and makes > OCSP Stapling work correctly with them. It works with all of the > active OpenSSL branches (including 0_9_8). > > I'm afraid it's a much larger patch than I anticipated it would be > when I started working on it! > > Maxim, does this patch look commit-able? It looks like it needs to be broken down into a patch series to be at least reviewable. I haven't looked into details yet, but I tend to dislike at least changing the ngx_ssl_certificate() function into a monster which configures everything. Preserving a separate call to configure stapling would be much better. Checks for extra ceritifcate chains with unsupported OpenSSL versions looks a bit too extensive. I would think of just dropping them completely. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel