Welcome! Log In Create A New Profile

Re: Multiple certificate support revisited

Forum List Message List New Topic Print View

F. DA SILVA

May 14, 2016 06:22PM

Hi, Brandon.

Shorten (by myself) answer from nginx guys , i received at beginning of May:
"...(this) is work in process already, ... hope it will be finished in May."

Regards,
FDS

>> Le 14 mai 2016 à 17:22, Brandon Black <bblack@wikimedia.org> a écrit :
>>
>> On Tue, Aug 18, 2015 at 2:31 PM, Brandon Black <bblack@wikimedia.org> wrote:
>> Hi all,
>>
>> The Wikimedia Foundation has been running nginx-1.9.3 patched for
>> multi-certificate support for all production TLS traffic for a few
>> weeks now without incident, for all inbound requests to Wikipedia and
>> other associated projects of the Foundation.
>
> [... http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007225.html
> for full text]
>
> Bump!
>
> We're still running these patches for all Wikimedia sites (including
> Wikipedia) to serve dual ECDSA+RSA certificates. There was some
> feedback from some of the original author(s) privately back at the
> time of my last post on this in Aug 2015, but no real progress on
> making newer/better patches and no upstream feedback from nginx.org
> AFAIK so far.
>
> We had stalled out on nginx version updates at Wikimedia for a while.
> We stalled at 1.9.4 for months due to the SPDY-v-HTTP2 switch and
> real-world client support stats, etc. Eventually the stats on the
> switch got better as we approached the May 15 Chrome SPDY cutoff (
> https://phabricator.wikimedia.org/T96848#2251633 ). On May 4th, we
> made the switch to nginx-1.10.0 with HTTP/2 support in place of SPDY,
> and thus we've now also published updated dual-cert patches.
>
> So for anyone who's still pulling in these patches manually, the
> correct diffs against 1.10.0 are now available as the 100x series at:
> https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.10.0-1/debian/patches
> .
>
> These patches have been working fine for us functionally on a very
> large traffic site with a very broad mix of client UAs, with external
> OCSP Stapling files, for several months. I'd still like to get a
> conversation going on how we can get this support merged into upstream
> nginx, perhaps during 1.11.x? What is this patch series missing in
> terms of feature support, code quality, etc, to get into a mergeable
> state?
>
> Thanks,
> -- Brandon Black
> Sr Operations Engineer
> Wikimedia Foundation
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Multiple certificate support revisited	Brandon Black	2426	August 18, 2015 10:32AM
Re: Multiple certificate support revisited	Albert Casademont	583	August 31, 2015 06:02AM
Re: Multiple certificate support revisited	Brandon Black	330	May 14, 2016 11:24AM
Re: Multiple certificate support revisited	F. DA SILVA	360	May 14, 2016 06:22PM
Re: Multiple certificate support revisited	Maxim Dounin	506	May 14, 2016 10:08PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 173

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018