Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling
October 23, 2013 03:14PM
On 23/10/13 18:07, W-Mark Kubacki wrote:
> Hi,
>
> As someone about to purchase two certificates please allow me to
> weight in an outside perspective:

Thanks!

> On 2013-10-22 12:09 UTC Maxim Dounin wrote:
>>
>> An unwanted side effect would be that this will allow client
>> certificate authentication to use certs from a server's
>> certificate chain. Probably not something we want to happen.
>
> On 2013-10-22 13:31 UTC Rob Stradling replied:
>>
>> Yes, that's a potentially unwanted side effect. But unfortunately,
>> AFAICT, putting the intermediates into the "trusted certificates
>> store" is the only way to implement this feature with OpenSSL
>> <1.0.2.
>
> Just drop the backwards-compatibility and require OpenSSL 1.0.2 or
> later for that feature, just like a particular version of OpenSSL is
> needed for TLS-SNI.

Apache httpd can do RSA+DSA+ECC with OpenSSL 1.0.0, and OCSP Stapling
works correctly (in recent OpenSSL versions anyway - see [1] ;-) ).

Why wouldn't Nginx want to offer the same compatibility?

CAs are already starting to sell ECC certs. OpenSSL 1.0.2 isn't even
released yet, so most sites will be stuck on <1.0.2 for quite some time.

Most sites don't use TLS client authentication, so they wouldn't be
affected by the "unwanted side effect" anyway.

> On 2013-10-23 00:25 UTC Maxim Dounin wrote:
>>
>> Given the number of problems, it might be easier to assume the
>> [certificate-]chains must be the same. […]
>
> • When you are about to get two certificates, most likely RSA+ECC, you
> go for a ECC-only and a RSA-only chain: The former because clients
> support ECC anyway, all the way up to the CA. If not, then the latter
> »classic« RSA-chain would be used.
> • Additionally, it enables you to purchase from more than one CA —
> which is good if a visitor with a recent browser doesn't want to trust
> a CA anymore.

I agree.

> I would disable OCSP for now in such cases and implement it later.

Why's that?


[1]
http://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=bb65e3f22bc743f2427b6ed4144d654ec7ddaeef

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 653 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 402 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 59
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready