I think we can add a new section called 'ssl'

Hello,
When the nginx-1.11.0 released,‘ssl_certficate’ and
‘ssl_certificate_key’
options can be use several times to load different kinds of
certificates.But,if you use the module ‘nginx-ct’ to enable ‘Certificate
Transperancy’ policy(the module allow you to submit your certificate to
‘Certificate Transperancy Logs’ server and get the ‘SCT’ which can be
used
to sent to browser to enable ‘Certificate Transperancy’.And it added two
options:‘ssl_ct on/off;’ and ‘ssl_ct_static_scts
/path/to/sct/directory;’)So,if you use ECDSA and RSA
dual-certificates,you
can only put SCT of each other in a directory.In chrome 50,you will see
‘1
vaild SCT,1 invaild SCT’,and in some lower version chrome,you click the
‘Lock’ on the left of the address bar,it will display a red ‘Lock’ with
a
‘×’ in the pop-up menu,although the text beside is ‘The server provides
a
valid certificate, and provide a valid Certificate Transperancy
information’.
And it also says:‘Your connection is not private connection.’

So,why don’t we add a section called ‘ssl’?It can allow us to have some
different settings according to the type of certificates.Likes follow:
ssl{

ssl_certificate …;

ssl_certificate_key …;

ssl_ct on;

ssl_ct_static_sct /path/to/ecc/sct;

}
ssl{

ssl_certificate …;
ssl_certificate_key …;
ssl_ct on;
ssl_ct_static_sct /path/to/rsa/sct;

}
How do you think of my advice?
Thank you.
P.S:My mother tongue is not English,so if there are some grammar errors
in
my e-mail,please forgive,thanks.

Hello!

On Mon, Jun 06, 2016 at 09:08:08AM +0800, 四弦 wrote:

vaild SCT,1 invaild SCT’,and in some lower version chrome,you click the
ssl_certificate …;
ssl_certificate …;
ssl_certificate_key …;
ssl_ct on;
ssl_ct_static_sct /path/to/rsa/sct;

}
How do you think of my advice?

Rather, I would think about somehow selecting different server{}
blocks based on SSL options (e.g., ciphers supported by a client).


Maxim D.
http://nginx.org/

Hello,
That’s a good idea.BoringSSL supports Equivalent encryption algorithm
group,likes follow:
[ECDHE_ECDSA_CHACHA20_POLY1305_SHA384|ECDHE_ECDSA_AES_128_GCM_SHA384]:…
Cipher suites which are included by [] are equivalent,when TLS
handshaking,the feature can choose the best cipher suites by clients’
platform.
But it is hard to complie nginx with boringssl,and it dosen’t support
OCSP
Stapling,that’s too bad.
I think your idea will be interesting if it can be come true.

2016-06-06 18:29 GMT+08:00 Maxim D. [email protected]: