Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin
November 01, 2013 06:48AM
Hello!

On Thu, Oct 31, 2013 at 08:58:31PM +0000, Rob Stradling wrote:

> On 24/10/13 01:26, Maxim Dounin wrote:
> <snip>
> >As for multiple certs per se, I don't think it should be limited
> >to recent OpenSSL versions only. As far as I can tell, current
> >versions of OpenSSL will work just fine (well, mostly) as long as
> >both ECDSA and RSA certs use the same certificate chain. I
> >believe at least some CAs issue ECDSA certs this way, and this
> >should work.
> >
> >Limiting support for multiple certs with separate certificate
> >chains to only recent OpenSSL versions seems reasonable for me,
> >but if Rob wants to try to make it work with older versions - I
> >don't really object. If it won't be too hacky it might worth
> >supporting.
>
> Updated patch attached. This implements multiple certs and makes
> OCSP Stapling work correctly with them. It works with all of the
> active OpenSSL branches (including 0_9_8).
>
> I'm afraid it's a much larger patch than I anticipated it would be
> when I started working on it!
>
> Maxim, does this patch look commit-able?

It looks like it needs to be broken down into a patch series to
be at least reviewable.

I haven't looked into details yet, but I tend to dislike at least
changing the ngx_ssl_certificate() function into a monster which
configures everything. Preserving a separate call to configure
stapling would be much better.

Checks for extra ceritifcate chains with unsupported OpenSSL
versions looks a bit too extensive. I would think of just
dropping them completely.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 435 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 395 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 465 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 457 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 427 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 653 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 413 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 402 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 427 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 69
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready