Hi Maxim, I, naively maybe, thought the following would work. At an incoming request, nginx checks whether the session is new or resumed. * new: it retrieves the chain, calls X509_chain_up_ref and stores a mapping from session ID to the chain pointer * resumed: it retrieves the session ID, looks up the pointer from the mapping and retrieves the chain from the pointer At session timeout ngby everhardt - Nginx Mailing List - English
Thanks for your reply, Maxim! I'll work out an alternative then. Re. session resumption, I read in the OpenSSL docs (https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html) that OpenSSL is willing to store the chain longer than a single request, but only if the implementing application (nginx) is managing freeing it at the proper time (eg. when the session times out): > Ifby everhardt - Nginx Mailing List - English
I have the following certificate chain: Root certificate > Intermediate certificate > End user certificate. I've set up nginx as an SSL termination proxy for a backend service that differentiates it actions based on the serial of the intermediate certificate and the subject of the end user certificate. Only the root certificate is available at the (nginx) server, the client will presentby everhardt - Nginx Mailing List - English
I’m using it for termination.by everhardt - Nginx Mailing List - English
I have been using it for more than a year now for more than 500 IoT devices with a cellular connection that connect on average about 4 times per day. My experience has been very positive: easy to set up and no issues at all (both for the 1.13.0 and the 1.13.9 patch). As NGINX is at 1.17 already, I'd like to update as well. Are there any plans to either release a new patch, or preferably, integrby everhardt - Nginx Mailing List - English