Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin
November 01, 2013 10:26AM
Hello!

On Fri, Nov 01, 2013 at 12:09:08PM +0000, Rob Stradling wrote:

> On 01/11/13 10:46, Maxim Dounin wrote:
> <snip>
> >>I'm afraid it's a much larger patch than I anticipated it would be
> >>when I started working on it!
> >>
> >>Maxim, does this patch look commit-able?
>
> Maxim, thanks for your initial comments.
>
> >It looks like it needs to be broken down into a patch series to
> >be at least reviewable.
>
> I thought you might say that. Is it acceptable for there to be
> compilation errors if you only apply some of the patches in a patch
> series? (I was assuming that would be unacceptable, hence the one
> large patch).

Each patch is expected to make sense by it's own, and shouldn't
break anything previously working, including compilation (but may
do e.g. otherwise unneeded and/or strange refactoring, or provide
some incomplete functionality).

> >I haven't looked into details yet, but I tend to dislike at least
> >changing the ngx_ssl_certificate() function into a monster which
> >configures everything. Preserving a separate call to configure
> >stapling would be much better.
>
> I had hoped to keep those calls separate, but I couldn't see a clean
> way to keep track of multiple server certs plus associated issuer
> certs inbetween the calls to ngx_ssl_certificate() and
> ngx_ssl_stapling().
> By combining the certificate configuration and stapling
> configuration functions, I made this problem go away.
>
> To preserve ngx_ssl_certificate() and ngx_ssl_stapling() as separate
> functions, I think I'd have to:
> - change ngx_ssl_certificate_index to keep an array (either
> ngx_array_t or STACK_OF) of server certs.
> - have ngx_ssl_certificate() put all of the intermediate CA
> certificates it encounters into a temporary cert store; have
> ngx_ssl_stapling() look in this temporary cert store for issuer
> certificates; then destroy the temporary cert store.
>
> Would that be preferable? Or do you have any better ideas?

Given the number of things we have to store here and there, I tend
to think we should eventually just add an index with some generic
pointer to a struct with our data.

To minimize changes in this particular case, using an array is
probably good enough.

> >Checks for extra ceritifcate chains with unsupported OpenSSL
> >versions looks a bit too extensive. I would think of just
> >dropping them completely.
>
> OK, (assuming you mean drop the checks, rather than drop support for
> those OpenSSL versions!)

Yes, I mean to drop checks.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1253 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 435 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 395 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 465 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 457 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 427 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 653 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 413 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 388 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 474 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 402 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 427 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 75
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready