Welcome! Log In Create A New Profile

Advanced

[PATCH] RSA+DSA+ECC bundles

Rob Stradling
October 17, 2013 10:10AM
On 06/02/13 17:24, Primoz Bratanic wrote:
> Hi,
>
> Apache supports specifying multiple certificates (different types) for same
> host in line with OpenSSL support (RSA, DSA, ECC). This allows using ECC key
> exchange methods with clients that support it and it's backwards compatible.
> I wonder how much work would it be to add support for this to nginx. Is it
> just allowing specifying 2-3 certificates (and checking they have different
> key type) + adding support for returning proper key chain or are the any
> other obvious roadblocks (that are not obvious to me).

Here's a first stab at a patch. I hope this is a useful starting point
for getting this feature added to Nginx.

To specify an RSA cert plus an ECC cert, use...
ssl_certificate my_rsa.crt my_ecc.crt;
ssl_certificate_key my_rsa.key my_ecc.key;
ssl_prefer_server_ciphers on;
Also, configure ssl_ciphers to prefer at least 1 ECDSA cipher and permit
at least 1 RSA cipher.

I think DSA certs should work too, but I've not tested this.


Issues I'm aware of with this patch:

- It doesn't check that each of the certs has a different key type
(but perhaps it should). If you specify multiple certs with the same
algorithm, all but the last one will be ignored.

- The certs and keys need to be specified in the correct order. If
you specify "my_rsa.crt my_ecc.crt" and "my_ecc.key my_rsa.key", Nginx
will start but it won't be able to complete any SSL handshakes. This
could be improved.

- It doesn't add the new feature to mail_ssl_module. Perhaps it should.

- The changes I made to ngx_conf_set_str_array_slot() work for me,
but do they break anything?

- An RSA cert and an ECC cert might well be issued by different CAs.
On Apache httpd, you have to use SSLCACertificatePath to persuade
OpenSSL to send different Intermediate certs for each one.
Nginx doesn't currently have an equivalent directive, and Maxim has
previously said it's unlikely to be added [1].
I haven't researched this properly yet, but I think it might be possible
to do "certificate path" in memory (i.e. without syscalls and disk
access on each certificate check) using the OpenSSL X509_LOOKUP API.

- I expect Maxim will have other comments. :-)


[1] http://forum.nginx.org/read.php?2,229129,229151

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1253 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 435 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 395 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 465 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 457 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 427 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 653 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 413 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 388 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 402 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 427 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready