Welcome! Log In Create A New Profile

Advanced

Re: I think we can add a new section called 'ssl'

Previous Message Next Message
Forum List Message List New Topic Print View
四弦
June 06, 2016 09:22AM
Hello,
That's a good idea.BoringSSL supports Equivalent encryption algorithm
group,likes follow:
[ECDHE_ECDSA_CHACHA20_POLY1305_SHA384|ECDHE_ECDSA_AES_128_GCM_SHA384]:...
Cipher suites which are included by [] are equivalent,when TLS
handshaking,the feature can choose the best cipher suites by clients'
platform.
But it is hard to complie nginx with boringssl,and it dosen't support OCSP
Stapling,that's too bad.
I think your idea will be interesting if it can be come true.


2016-06-06 18:29 GMT+08:00 Maxim Dounin <mdounin@mdounin.ru>:

> Hello!
>
> On Mon, Jun 06, 2016 at 09:08:08AM +0800, 四弦 wrote:
>
> > Hello,
> > When the nginx-1.11.0 released,'ssl_certficate' and 'ssl_certificate_key'
> > options can be use several times to load different kinds of
> > certificates.But,if you use the module 'nginx-ct' to enable 'Certificate
> > Transperancy' policy(the module allow you to submit your certificate to
> > 'Certificate Transperancy Logs' server and get the 'SCT' which can be
> used
> > to sent to browser to enable 'Certificate Transperancy'.And it added two
> > options:'ssl_ct on/off;' and 'ssl_ct_static_scts
> > /path/to/sct/directory;')So,if you use ECDSA and RSA
> dual-certificates,you
> > can only put SCT of each other in a directory.In chrome 50,you will see
> '1
> > vaild SCT,1 invaild SCT',and in some lower version chrome,you click the
> > 'Lock' on the left of the address bar,it will display a red 'Lock' with a
> > '×' in the pop-up menu,although the text beside is 'The server provides a
> > valid certificate, and provide a valid Certificate Transperancy
> > information'.
> > And it also says:'Your connection is not private connection.'
> >
> > So,why don't we add a section called 'ssl'?It can allow us to have some
> > different settings according to the type of certificates.Likes follow:
> > ssl{
> >
> > ssl_certificate ...;
> >
> > ssl_certificate_key ...;
> >
> > ssl_ct on;
> >
> > ssl_ct_static_sct /path/to/ecc/sct;
> >
> > }
> > ssl{
> >
> > ssl_certificate ...;
> > ssl_certificate_key ...;
> > ssl_ct on;
> > ssl_ct_static_sct /path/to/rsa/sct;
> >
> > }
> > How do you think of my advice?
>
> Rather, I would think about somehow selecting different server{}
> blocks based on SSL options (e.g., ciphers supported by a client).
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

I think we can add a new section called 'ssl'

四弦 June 05, 2016 09:10PM

Re: I think we can add a new section called 'ssl'

Maxim Dounin June 06, 2016 06:30AM

Re: I think we can add a new section called 'ssl'

四弦 June 06, 2016 09:22AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 177
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready