ther...nor" is what you're looking for. (I don't think
"without...nor" is grammatically correct).
Something like...
"nginx was built with support for neither ALPN nor NPN"
(P.S. I'm English, but I have to say that it's not uncommon for the
non-native
n drop the checks, rather than drop support for
those OpenSSL versions!)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
KB.
...
Nginx hardcodes 16KB size in ngx_event_openssl, which you can change and
recompile from source."
Would it be worth lowering this default value?
and/or
How about adding a config directive that allows users to change it
without having to edit the source code?
--
Rob Stradling
Senior Re
_add0_chain_cert(), since it doesn't increase OpenSSL's
internal reference count, same as SSL_CTX_add_extra_chain_cert()... If
you want use SSL_CTX_add1_chain_cert() then you should free x509
afterwards.
Good point. Thanks Piotr!
--
Rob Stradling
Senior Research & Developmen
use certs from a server's
certificate chain. Probably not something we want to happen.
On 2013-10-22 13:31 UTC Rob Stradling replied:
Yes, that's a potentially unwanted side effect. But unfortunately,
AFAICT, putting the intermediates into the "trusted certificates
store"
On 23/10/13 01:25, Maxim Dounin wrote:
On Tue, Oct 22, 2013 at 02:31:01PM +0100, Rob Stradling wrote:
Yes, that's a potentially unwanted side effect. But unfortunately,
AFAICT, putting the intermediates into the "trusted certificates
store" is the only way to implement th
On 22/10/13 13:09, Maxim Dounin wrote:
Hello!
On Mon, Oct 21, 2013 at 10:40:43PM +0100, Rob Stradling wrote:
The following approach seems to work:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
// OpenSSL 1.0.2 lets us do this properly
Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
CSP_basic_verify:signer certificate
not found" from the stapling code in both cases where I don't call
SSL_CTX_add_extra_chain_cert() - another thing to look into!)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
alls and disk access for every connection) hasn't Maxim already said
that that overhead would be unacceptable?
Optimized version of that could compare intermediates from all the
files and only do that in case they differ.
--
Rob Stradling
Senior Res
issues.
Ah yes. The Nginx stapling code seems to assume one cert and therefore
one OCSP Response. So, I think it needs updating to handle multiple
certs and OCSP Responses and to call SSL_get_certificate(SSL*) to get
the cert that the server has selected to send to the client. I've n
be possible
to do "certificate path" in memory (i.e. without syscalls and disk
access on each certificate check) using the OpenSSL X509_LOOKUP API.
- I expect Maxim will have other comments. :-)
[1] http://forum.nginx.org/read.php?2,229129,229151
--
Rob Stradling
Senior Resear
like too
major change for OpenSSL. It will also take several years to be
actually usable.
I'll discuss this further with Ben. Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
gi?id=901698
[4] http://www.ietf.org/mail-archive/web/tls/current/msg10083.html
[5] http://tools.ietf.org/html/rfc6962
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
13 matches
Mail list logo
