Welcome! Log In Create A New Profile


Re: [PATCH] Re: RSA+DSA+ECC bundles

Rob Stradling
October 17, 2013 10:08AM
Hmmm, I guess I should've posted this to nginx-devel. Reposting...

On 17/10/13 15:05, Rob Stradling wrote:
> On 06/02/13 17:24, Primoz Bratanic wrote:
>> Hi,
>> Apache supports specifying multiple certificates (different types) for
>> same
>> host in line with OpenSSL support (RSA, DSA, ECC). This allows using
>> ECC key
>> exchange methods with clients that support it and it's backwards
>> compatible.
>> I wonder how much work would it be to add support for this to nginx.
>> Is it
>> just allowing specifying 2-3 certificates (and checking they have
>> different
>> key type) + adding support for returning proper key chain or are the any
>> other obvious roadblocks (that are not obvious to me).
> Here's a first stab at a patch. I hope this is a useful starting point
> for getting this feature added to Nginx. :-)
> To specify an RSA cert plus an ECC cert, use...
> ssl_certificate my_rsa.crt my_ecc.crt;
> ssl_certificate_key my_rsa.key my_ecc.key;
> ssl_prefer_server_ciphers on;
> Also, configure ssl_ciphers to prefer at least 1 ECDSA cipher and permit
> at least 1 RSA cipher.
> I think DSA certs should work too, but I've not tested this.
> Issues I'm aware of with this patch:
> - It doesn't check that each of the certs has a different key type
> (but perhaps it should). If you specify multiple certs with the same
> algorithm, all but the last one will be ignored.
> - The certs and keys need to be specified in the correct order. If
> you specify "my_rsa.crt my_ecc.crt" and "my_ecc.key my_rsa.key", Nginx
> will start but it won't be able to complete any SSL handshakes. This
> could be improved.
> - It doesn't add the new feature to mail_ssl_module. Perhaps it should.
> - The changes I made to ngx_conf_set_str_array_slot() work for me,
> but do they break anything?
> - An RSA cert and an ECC cert might well be issued by different CAs.
> On Apache httpd, you have to use SSLCACertificatePath to persuade
> OpenSSL to send different Intermediate certs for each one.
> Nginx doesn't currently have an equivalent directive, and Maxim has
> previously said it's unlikely to be added [1].
> I haven't researched this properly yet, but I think it might be possible
> to do "certificate path" in memory (i.e. without syscalls and disk
> access on each certificate check) using the OpenSSL X509_LOOKUP API.
> - I expect Maxim will have other comments. :-)
> [1] http://forum.nginx.org/read.php?2,229129,229151

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

nginx mailing list
Subject Author Posted

RSA+DSA+ECC bundles

Primoz Bratanic February 06, 2013 12:26PM

Re: RSA+DSA+ECC bundles

christopherincanada March 08, 2013 05:16PM

Re: RSA+DSA+ECC bundles

mex March 09, 2013 04:05AM

[PATCH] Re: RSA+DSA+ECC bundles

Rob Stradling October 17, 2013 10:06AM

Re: [PATCH] Re: RSA+DSA+ECC bundles

Rob Stradling October 17, 2013 10:08AM

Re: [PATCH] Re: RSA+DSA+ECC bundles

Maxim Dounin October 17, 2013 11:20AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 65
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 254 on July 05, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready