Welcome! Log In Create A New Profile

Re: Multiple certificate support revisited

Forum List Message List New Topic Print View

Brandon Black

May 14, 2016 11:24AM

On Tue, Aug 18, 2015 at 2:31 PM, Brandon Black <bblack@wikimedia.org> wrote:
> Hi all,
>
> The Wikimedia Foundation has been running nginx-1.9.3 patched for
> multi-certificate support for all production TLS traffic for a few
> weeks now without incident, for all inbound requests to Wikipedia and
> other associated projects of the Foundation.

[... http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007225.html
for full text]

Bump!

We're still running these patches for all Wikimedia sites (including
Wikipedia) to serve dual ECDSA+RSA certificates. There was some
feedback from some of the original author(s) privately back at the
time of my last post on this in Aug 2015, but no real progress on
making newer/better patches and no upstream feedback from nginx.org
AFAIK so far.

We had stalled out on nginx version updates at Wikimedia for a while.
We stalled at 1.9.4 for months due to the SPDY-v-HTTP2 switch and
real-world client support stats, etc. Eventually the stats on the
switch got better as we approached the May 15 Chrome SPDY cutoff (
https://phabricator.wikimedia.org/T96848#2251633 ). On May 4th, we
made the switch to nginx-1.10.0 with HTTP/2 support in place of SPDY,
and thus we've now also published updated dual-cert patches.

So for anyone who's still pulling in these patches manually, the
correct diffs against 1.10.0 are now available as the 100x series at:
https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.10.0-1/debian/patches
..

These patches have been working fine for us functionally on a very
large traffic site with a very broad mix of client UAs, with external
OCSP Stapling files, for several months. I'd still like to get a
conversation going on how we can get this support merged into upstream
nginx, perhaps during 1.11.x? What is this patch series missing in
terms of feature support, code quality, etc, to get into a mergeable
state?

Thanks,
-- Brandon Black
Sr Operations Engineer
Wikimedia Foundation

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Multiple certificate support revisited	Brandon Black	2425	August 18, 2015 10:32AM
Re: Multiple certificate support revisited	Albert Casademont	582	August 31, 2015 06:02AM
Re: Multiple certificate support revisited	Brandon Black	329	May 14, 2016 11:24AM
Re: Multiple certificate support revisited	F. DA SILVA	360	May 14, 2016 06:22PM
Re: Multiple certificate support revisited	Maxim Dounin	505	May 14, 2016 10:08PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

HerrimanCoder

Guests: 175

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018