Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora
October 17, 2013 06:02PM
Hey,

> I would rather see ssl_certificates to be used this way, something
> like:
>
> ssl_certificate rsa.crt;
> ssl_certificate_key rsa.key;
>
> ssl_certificate ecc.crt;
> ssl_certificate_key ecc.key;

Yeah, I'm in favor of that syntax as well.

> AFAIR, OpenSSL only able to store one certificate chain per
> SSL_CTX, which is the root cause of the problem.

That's solved in OpenSSL-1.0.2 (unreleased).

For now, the one thing we could do is to let OpenSSL build certificate
chains from the trusted certificates store... In order to do that, all
we need to do is to load only the first certificate in the file (i.e.
don't load intermediate certificates) in case there are multiple
certificates defined. This way, OpenSSL will try to build the
certificate chain automatically (unfortunately, it will do that on the
fly for each connection, so it's a noticeable overhead).

Optimized version of that could compare intermediates from all the
files and only do that in case they differ.

Best regards,
Piotr Sikora

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 390 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 655 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 403 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 47
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready