Forum List Message List New Topic Print View

Rob Stradling

November 01, 2013 08:10AM

On 01/11/13 10:46, Maxim Dounin wrote:
<snip>
>> I'm afraid it's a much larger patch than I anticipated it would be
>> when I started working on it!
>>
>> Maxim, does this patch look commit-able?

Maxim, thanks for your initial comments.

> It looks like it needs to be broken down into a patch series to
> be at least reviewable.

I thought you might say that. Is it acceptable for there to be
compilation errors if you only apply some of the patches in a patch
series? (I was assuming that would be unacceptable, hence the one large
patch).

> I haven't looked into details yet, but I tend to dislike at least
> changing the ngx_ssl_certificate() function into a monster which
> configures everything. Preserving a separate call to configure
> stapling would be much better.

I had hoped to keep those calls separate, but I couldn't see a clean way
to keep track of multiple server certs plus associated issuer certs
inbetween the calls to ngx_ssl_certificate() and ngx_ssl_stapling().
By combining the certificate configuration and stapling configuration
functions, I made this problem go away.

To preserve ngx_ssl_certificate() and ngx_ssl_stapling() as separate
functions, I think I'd have to:
- change ngx_ssl_certificate_index to keep an array (either
ngx_array_t or STACK_OF) of server certs.
- have ngx_ssl_certificate() put all of the intermediate CA
certificates it encounters into a temporary cert store; have
ngx_ssl_stapling() look in this temporary cert store for issuer
certificates; then destroy the temporary cert store.

Would that be preferable? Or do you have any better ideas?

> Checks for extra ceritifcate chains with unsupported OpenSSL
> versions looks a bit too extensive. I would think of just
> dropping them completely.

OK, (assuming you mean drop the checks, rather than drop support for
those OpenSSL versions!)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] RSA+DSA+ECC bundles	Rob Stradling	1588	October 17, 2013 10:10AM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	581	October 17, 2013 11:20AM
Re: [PATCH] RSA+DSA+ECC bundles	Piotr Sikora	569	October 17, 2013 06:02PM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	542	October 18, 2013 07:08PM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	647	October 19, 2013 06:16AM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	606	October 21, 2013 05:42PM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	578	October 22, 2013 08:10AM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	505	October 22, 2013 09:32AM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	599	October 22, 2013 08:26PM
Re: [PATCH] RSA+DSA+ECC bundles	W-Mark Kubacki	590	October 23, 2013 01:08PM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	528	October 23, 2013 03:14PM
Re: [PATCH] RSA+DSA+ECC bundles	Piotr Sikora	568	October 23, 2013 05:50PM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	569	October 23, 2013 08:28PM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	538	October 31, 2013 05:00PM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	901	October 31, 2013 06:00PM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	553	November 01, 2013 06:48AM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	526	November 01, 2013 08:10AM
Re: [PATCH] RSA+DSA+ECC bundles	Maxim Dounin	611	November 01, 2013 10:26AM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	555	October 23, 2013 02:28PM
Re: [PATCH] RSA+DSA+ECC bundles	Piotr Sikora	579	October 23, 2013 05:56PM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	667	October 24, 2013 08:10AM
Re: [PATCH] RSA+DSA+ECC bundles	Rob Stradling	573	October 18, 2013 06:52PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 271

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018