RSA+DSA+ECC bundles

Hi,

Apache supports specifying multiple certificates (different types) for
same
host in line with OpenSSL support (RSA, DSA, ECC). This allows using ECC
key
exchange methods with clients that support it and it’s backwards
compatible.
I wonder how much work would it be to add support for this to nginx. Is
it
just allowing specifying 2-3 certificates (and checking they have
different
key type) + adding support for returning proper key chain or are the any
other obvious roadblocks (that are not obvious to me).

Thanks,

Primoz

begin 666 smime.p7s
M,( &“2J&2(;W#0$'J" ,( "0$Q#S -!@E@AD@!90,$@,%#” !@DJADB&
M]PT!!P$*""%30P@@8T,(($'* #`@$"`@$@, T&"2J&2(;W#0$!!04`,'TQ M"S )!@-5! 83`DE,,18P% 8#500*$PU3=&%R=$-O;2!,=&0N,2LP*08#500+ M$R)396-U<F4@1&EG:71A;"!#97)T:69I8V%T92!3:6=N:6YG,2DP)P8#500# M$R!3=&%R=$-O;2!#97)T:69I8V%T:6]N($%U=&AO<FET>3 >%PTP-S$P,C0R M,3 R-35:%PTQ-S$P,C0R,3 R-35:,(&,,0LP"08#500&$P))3#$6,!0&`U4$ M"A,-4W1A<G1#;VT@3'1D+C$K,"D&`U4$"Q,B4V5C=7)E($1I9VET86P@0V5R M=&EF:6-A=&4@4VEG;FEN9S$X,#8&`U4$`Q,O4W1A<G1#;VT@0VQA<W,@,B!0 M<FEM87)Y($EN=&5R;65D:6%T92!#;&EE;G0@0T$P@@$B, T&"2J&2(;W#0$! M`04X(!#PP@@$*H(!0#+*(5%G $L^QGRJZ4SC"J@#<O05>U=(H%G1L0/ M"%.^R]VD\1*T/GW,;0V&=^F>AA]&!9^WZN40[7C] &,ZP@/A$$WXOM?I -
MYM)+<%QO>#.;"K+[.Y43]6LG 9’O[.8/821Z\F=FG$G)\W,XP0@.U];^1
MM\L/# S]IMD0LGM"GX&>)S@WJV25<X0)3@_6’H[P%V:AY+,.>A\Q)52&$F=
MZN/D2;CUUWR*,F\OF-IM1/F,U^8@F5P<=.8).C"@%M;VL./[]CCB\NA61]UQ
MQ[3I,UWAO_PK!9P??KFF$I4>N7’1LT[)J""O%A]<H%X409O?$@^QW_Z]Q1
M"S;U@,!``&C@@&M,((!J3 /!@-5'1,!?$!3 #0'_, X&U4=#P$!P0$
MP(!!C =!@-5'0X$%@04KE6#;^PQRKGW'?JO:S'SR!WCK+LP'P8#51TC!!@P M%H 43@OO&J1 6Z47:8<PRC1H0]!!KO(P9@8(*P8!!04'0$$6C!8,"<&""L&
M04%!S !AAMH='1P.B\O;V-S<"YS=&%R='-S;"YC;VTO8V$P+08(*P8!!04' M, *&(6AT=' Z+R]W=W<N<W1A<G1S<VPN8V]M+W-F<V-A+F-R=#!;!@-5'1\$ M5#!2,">@): CAB%H='1P.B\O=W=W+G-T87)T<W-L+F-O;2]S9G-C82YC<FPP M)Z EH".&(6AT=' Z+R]C<FPN<W1A<G1S<VPN8V]M+W-F<V-A+F-R;#"!@ 8# M51T@!'DP=S!U!@LK!@$$8&U-P$“3!F,"X&""L&04%!P(!%B)H='1P.B\O
M=W=W+G-T87)T<W-L+F-O;2]P;VQI8WDN<&1F,#0&”“L&04%!P(!%BAH='1P M.B\O=W=W+G-T87)T<W-L+F-O;2]I;G1E<FUE9&EA=&4N<&1F, T&"2J&2(;W M#0$!!04``X("0ZJ2<-R-.T%I'O:930:<5,7'WW.YU*R$*21PW(O=0Q1NWU M81T9#&[email protected]#5,2!2=F?0?=#(G'/S5W+.Y#P479^EQCO[SW/.V.D?G%DO M37/?GZ=Q)YK)O>#L3L"/<)_*IZ_^J-Y@^)Z#_2:8<%#TU\!Z+XVKT9X5$!RW MZ/XMC1M%UX$QUTMEYM)%5*,UZJ6*0';IC(@?[WLX]4!T"0YE'3V#'*?JWH/? M=-<Y,D]WPUOXKR5;^J5K9(>C\-LK64^YKX.V(5]U>=#;_.M'%==9J'%%7*@2 M[]('$_AP0V+6[KWL37[<#4"@^=?=P.\S>+QNPDV)%\<K4HRKEZZ1&K1(A3\5 MH&_.)U8]N4E.:OZ]5X<&\NIBX9&VE[)9%;<!%D]U6I^/:RHY2N%ZU"F&%K9W M\ZNFDFI.;M%:<7=:V._;5H0]Q'0KSH3<_T*936OE9"+*W*>_O&83]9=6]E.C M&L2%;7KE3 ]U]+\XB,*^X\6&GO168V\9:5'IJEXWM$&A7S>ZB-”;$# “R^X
MAD08.RM J#@<Q G0]W[F8I>9%/RS_7*]02M]5-%,NN=6Q9P###)H0H2&Y] M'HN]E9VZ4K*ZTG1=0!F$/+\AVGN6@H/A^^750E=]RNA;L6:W]/<D_E<?SY
M’45&)%YF<_SDW\B5[%#E%Z\INBKR-JV7’$I.3"”!RLP@@83H ,"0("B.T
M, T&"2J&2(;W#0$!"P4,(&,,0LP"08#500&$P))3#$6,!0&U4$"A,-4W1A
M<G1#;VT@3’1D+C$K,“D&U4$"Q,B4V5C=7)E($1I9VET86P@0V5R=&EF:6-A M=&4@4VEG;FEN9S$X,#8&U4$Q,O4W1A<G1#;VT@0VQA<W,@,B!0<FEM87)Y M($EN=&5R;65D:6%T92!#;&EE;G0@0T$P'A<-,3(P-S(Q,34S-3 W6A<-,30P M-S(R,3@S-34P6C!R,0LP"08#500&$P)323$1, \&U4$”!,(4VQO=F5N:6$Q
M$C 0!@-5! <3"4=R;W-U<&QJ93$8,!8&U4$Q,/4’)I;6]Z($)R871A;FEC
M,2(P( 8)H9(AO<-0D!%A-P<FEM;WI <VQO+71E8V@N8V]M,((!(C -!@DJ MADB&]PT!0$%."`0\`,((!"@*"`0$`S3":1.7S;@TIE<# ,3$,UWA18K#[ M%U%I>WOS=8GXP]#N>5!'"M\ITVN*4U0F)WJD)QO4Q>W+P"X#- +7RK+00I!" MUKD[UZZB1:QC\<^#SAC@++*3$"IJ9!-1[:K4H46>U)?:YP<R,=H5P95H(=K= M$9HK%L(P>2P:O/R"GFKM:0%AZQ_JFX3XR&>0ARA-I'.XD,4!FPZAGBT)I#H5 MGWXE.7BLME4V#G1!Z3><JV$R_+Z<GL%**^JIN4./(7^Z'GP&PZHC71A%$HJJ M'-]P$ULTY;U>4)^YV/-&H8+R"OU@'*%$69D1J[0?>]1&"Z_%8]Y.4ZO%W1[O M!$;BADA!6([^R0(#`0`!HX(#KC""`ZHP"08#51T3! (P`# +!@-5'0\$! ," M!+ P'08#51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!T&`U4=#@06!!3E MU6GS@[&*& X$C+5FVJ,`:?UPNS ?!@-5'2,$&# 6@!2N58-O[#'*N?<=^J]K M,?/('>.LNS >!@-5'1$$%S 5@1-P<FEM;WI <VQO+71E8V@N8V]M,(("(08# M51T@!(("&#""`A0P@@(0!@LK!@$$`8&U-P$"`C""`?\P+@8(*P8!!04'`@$6 M(FAT=' Z+R]W=W<N<W1A<G1S<VPN8V]M+W!O;&EC>2YP9&8P- 8(*P8!!04' M`@$6*&AT=' Z+R]W=W<N<W1A<G1S<VPN8V]M+VEN=&5R;65D:6%T92YP9&8P M@?<&""L&`04%!P(",('J,"<6(%-T87)T0V]M($-E<G1I9FEC871I;VX@075T M:&]R:71Y, ,"`0$:@;Y4:&ES(&-E<G1I9FEC871E('=A<R!I<W-U960@86-C M;W)D:6YG('1O('1H92!#;&%S<R R(%9A;&ED871I;VX@<F5Q=6ER96UE;G1S M(&]F('1H92!3=&%R=$-O;2!#02!P;VQI8WDL(')E;&EA;F-E(&]N;'D@9F]R M('1H92!I;G1E;F1E9"!P=7)P;W-E(&EN(&-O;7!L:6%N8V4@;V8@=&AE(')E M;'EI;F<@<&%R='D@;V)L:6=A=&EO;G,N,(&<!@@K!@$%!0<"`C"!CS G%B!3 M=&%R=$-O;2!#97)T:69I8V%T:6]N($%U=&AO<FET>3 #`@$"&F1,:6%B:6QI M='D@86YD('=A<G)A;G1I97,@87)E(&QI;6ET960A(%-E92!S96-T:6]N("), M96=A;"!A;F0@3&EM:71A=&EO;G,B(&]F('1H92!3=&%R=$-O;2!#02!P;VQI M8WDN,#8&`U4='P0O,"TP*Z IH">&)6AT=' Z+R]C<FPN<W1A<G1S<VPN8V]M M+V-R='4R+6-R;"YC<FPP@8X&""L&`04%!P$!!(&!,'\P.08(*P8!!04', && M+6AT=' Z+R]O8W-P+G-T87)T<W-L+F-O;2]S=6(O8VQA<W,R+V-L:65N="]C M83!"!@@K!@$%!0<P`H8V:'1T<#HO+V%I82YS=&%R='-S;"YC;VTO8V5R=',O M<W5B+F-L87-S,BYC;&EE;G0N8V$N8W)T,",&`U4=$@0<,!J&&&AT=' Z+R]W M=W<N<W1A<G1S<VPN8V]M+S -!@DJADB&]PT!`0L%."0$LZRL-KU-'W>9
M?7;?7 ":&WWWW=G0^ [email protected]%TM5(%U%Y’;QX%G&^&5=?5A8I!YU%E41P
M3.]]#+@(O?0YN<1D0D_QD$.+YKMD91I0F\[2*M8>'R )>I(4KM; \$Q2( M: P]YCU N4XLUSAOU8L,D$E:O72!K=]P&[XAP3BVRD$.75J59_[,/RGM+\RJ M+?T7[<DFTWRJ42NKY#8/PF50[4^"E9+!J]/6IQQ>7A31)U@M,8>+MY!PB B2 MMKJ+PJRO6+=\;*Y_CF<[email protected]%R$)%/IX'3;X;%*@6:11U1/SA@(L72@= GQ#T MY2C=YVW+V-CJOVF .O_9J=N)D_+QGC""!\DP@@6QH ,"0("0$P#08)*H9( MAO<-0$%!0P?3$+, D&U4$!A,"24PQ%C 4!@-5! H3#5-T87)T0V]M($QT
M9"XQS I!@-5! L3(E-E8W5R92!$:6=I=&%L($-E<G1I9FEC871E(%-I9VYI
M;F<Q3 G!@-5! ,3(%-T87)T0V]M($-E<G1I9FEC871I;VX@075T:&]R:71Y
M,!X7#3 V,#DQ-S$Y-#8S-EH7#3,V,#DQ-S$Y-#8S-EHP?3$+, D&U4$!A," M24PQ%C 4!@-5! H3#5-T87)T0V]M($QT9"XQ*S I!@-5! L3(E-E8W5R92!$ M:6=I=&%L($-E<G1I9FEC871E(%-I9VYI;F<Q*3 G!@-5! ,3(%-T87)T0V]M M($-E<G1I9FEC871I;VX@075T:&]R:71Y,(("(C -!@DJADB&]PT!0$%." M`@\`,((""@*"`@$`P8C;";QL1GQXGY5[M3.0\G)BUL$V("(D7L[I=_)#"J(& M9*3,CC;X..8C\&YML3S=<J.%'*'3/;0S*],OK_[JL$%99[;$!GT*GG2%UGE, M@#=ZWSD%4EGW]!M&0Z32A872PW'S=6(TNBR*?QZ/[NTTT!''ELU2/;HSUMU- MW@L[2DN?PB8O^K46''(U=\H\7>;*X2:+&C9V7 ';=!0E_NVUH(@/W7C*+1\' MES !+7)Y^D;6$RJHN::K@TD=Y?+OW>0!CA@*CV-3%H5BJ0X9.LRU9J;":W0' MY"OA=CZT;=CV1.%S8A\[Q+Z@4U8E;%$)]ZJKRK]V_6V;\YW;OSUFO Q6JJ^8 M2)4Z2]^G6%#9.'6I6^I## +_F>OH;$UP6REEG-VJ7<RO`3'L#.O2C>CJG'OF M;O<G9@P:2-=N0N,_WB$^>^$-</MCJJAL&E2T7"5ZR:+)BQ:FNRQ^%UX%35AN M$AT![A(0#<8R?QC__/3ZS6Z1Z#9)OAI(:8O"EDT:$K)I%\$*D-;Z>2)(O[I[ M:?APQ_IZ-]C8#=)V3U?_D+?CD=+=[\)@MV<ZW?ZJG/#4BW]R(L[&GY>V^*^* MH!"HV?L8QK:U7%(\B;89*G,!"@\#LQ)@\GHO@=NC;O\F,)?UB]V)5[:M/;.O M*\6W=@+PI=8KFH84*G+VXS.,70E+$]^[C'034DL"`P$:."E(P@@)., P& MU4=$P0%, ,!?\P"P8#51T/! 0#@&N,!T&U4=#@06!!1."^\:I$!;I1=I MAS#*-&A#T$&N\C!D!@-5'1\$73!;,"R@*J HAB9H='1P.B\O8V5R="YS=&%R M=&-O;2YO<F<O<V9S8V$M8W)L+F-R;# KH"F@)X8E:'1T<#HO+V-R;"YS=&%R M=&-O;2YO<F<O<V9S8V$M8W)L+F-R;#""5T&U4=( 2"50P@@%0,((!3 8+
MP8!! &!M3<!0$P@@$[,"\&""L&04%!P(!%B-H=‘1P.B\O8V5R="YS=&%R
M=&-O;2YO<F<O<&]L:6-Y+G!D9C U!@@K!@$%!0<“18I:'1T<#HO+V-E<G0N M<W1A<G1C;VTN;W)G+VEN=&5R;65D:6%T92YP9&8P@= &""L&04%!P(”,(’#
M,"<6(%-T87)T($-O;6UE<F-I86P@%-T87)T0V]M2!,=&0N, ,“0$:@9=, M:6UI=&5D($QI86)I;&ET>2P@<F5A9"!T:&4@<V5C=&EO;B J3&5G86P@3&EM M:71A=&EO;G,J(&]F('1H92!3=&%R=$-O;2!#97)T:69I8V%T:6]N($%U=&AO M<FET>2!0;VQI8WD@879A:6QA8FQE(&%T(&AT=' Z+R]C97)T+G-T87)T8V]M M+F]R9R]P;VQI8WDN<&1F,!$&"6"&2 &&^$(!00$P(!S X!@E@AD@!AOA”
M0T$*Q8I4W1A<G1#;VT@1G)E92!34TP@0V5R=&EF:6-A=&EO;B!!=71H;W)I M='DP#08)*H9(AO<-0$%!0#@@(!!9LF?1F##3UT(5>?0KLVA!..!Q>WZ8E
M!4N1,L’H.$]W40)6P=)BBG+9@WL9KW)9@)/(X;X=TVARM+NVC3.68]H";’
M\CF1’5&K@GM^U<Y:Y.(#5W!IEPCY7EBF"M^,!II%%A8X"EY7]F+’>@(%YKP>
MM?>]DI@_BR%.-N(=$PY :WCBI/Q#361%SMTHJ5SR<WL$^!?HJ['S+EQD
M;G,Q.AXO+,1Y’V/@5&:.XV)]$V39GL`^W3FAV:\V50]:#0=9\OK#J@D.8
M^&F<B7G$0XY&<N-D-AO]R4>.(F0=W[#:VJYP\M$2ZQXD(OGQRP>2Q%$R#12
M)\T79^%P8G5&GCRE1!3,MV A&9UV;5H*/MA+KZ$J#C F1*&I1YG9T&+B^I
M<(7’E@]\B67UCD-4#JO=I8 YE&# -,F6<“RC$O4?2’N]’'YKMYV0]”([KOC
MLKZ@E*@[Z]+59/KP;7P(HNL-$XF(@2AARQU2K?E?1/7N QDP#;2R2^&$HPC
M"<$;@CMS2:-J5X>4Y=9XQ9E#8^–X’<MX669<FD$&D<)Y@!5B3[’[.>:E8
M+KG$“0%^E;IM``8^LNI*$#G8T"OUO^QUOY<“Q0D;”-Q5-^!^S>$0V(@RN=6
M2V7J_FS!)),DH33K!?^:(JZ;?3_Q95$IC!JL_2(’( -_’*Z(->,8($2C""
M!$8"0$P@9,P@8PQ"S )!@-5! 83DE,18P% 8#500$PU3=&%R=$-O;2!,
M=&0N,2LP08#500+$R)396-U<F4@1&EG:71A;"!#97)T:69I8V%T92!3:6=N
M:6YG,3@P-@8#500#$R]3=&%R=$-O;2!#;&%S<R R(%!R:6UA<GD@26YT97)M
M961I871E($-L:65N="!#00("([0P#08)8(9(64#! (#!0"@@@*',!@&"2J& M2(;W#0$)S$+!@DJADB&]PT!!P$P’ 8)H9(AO<-0D%,0\7#3$S,#(P-C$W M,C0R.%HP3P8)*H9(AO<-0D$,4($0/!Z1$>%O64^ V"8!%)3@X0J%%*9:6
M0N#@2=K/NJ0FW (1#8JCT23I)S![%,V>@SG/#[email protected]%J\YL>+4^XP@:0& M"2L&00!@C<0!#&!EC”!DS"!C#$+, D&U4$!A,"24PQ%C 4!@-5! H3#5-T M87)T0V]M($QT9"XQ*S I!@-5! L3(E-E8W5R92!$:6=I=&%L($-E<G1I9FEC M871E(%-I9VYI;F<Q.# V!@-5! ,3+U-T87)T0V]M($-L87-S(#(@4')I;6%R M>2!);G1E<FUE9&EA=&4@0VQI96YT($-!@(CM#"!I@8+*H9(AO<-0D0@LQ
M@9:@@9,P@8PQ"S )!@-5! 83DE,,18P% 8#500*$PU3=&%R=$-O;2!,=&0N M,2LP*08#500+$R)396-U<F4@1&EG:71A;"!#97)T:69I8V%T92!3:6=N:6YG M,3@P-@8#500#$R]3=&%R=$-O;2!#;&%S<R R(%!R:6UA<GD@26YT97)M961I M871E($-L:65N="!#00("([0P@:L&"2J&2(;W#0$)#S&!G3"!FC +!@E@AD@! M90,$2HP"P8)8(9(64#! $6, H&""J&2(;W#0,', L&"6"&2 %EP0!C . M!@@JADB&]PT#@("( P!P8%*PX#@<P#08(*H9(AO<-P("4 P#08(*H9(
MAO<-P("2@P"P8)8(9(64#! (#, L&"6"&2 %EP0"C +!@E@AD@!90,$ M@$P!P8%*PX#AHP#08)*H9(AO<-0$!!0$@@$’PG3$]VF)449E;1<E&,^
MI? _[:;]=,+)K*PG>X2MC<.%QJ->.V\TR-]+/S0BVH\4O.Q&PSK+@T80: Y M@*+G_ZC4+"AW4(4XW&B'DR3,KW6::\8]6O!R8^"[T_X-W8]HY R%'!GKP HX M.-=]3/@77"?7*WCN2+ 4G;=%T:17. <Y4WPEZIT5D !5Z1U\0F?T-VBE!L8] M>13M?N<F8BA-9K<9K.(_"!*]"DSM1J>'CU)J.$O.Q7V&IC_HPO'9=-8)/V!F M=7ZO"]7P'=HX!ZWZI"YOZ 8+>]@P"JD(3!6/OFP9=)1G[47H&KE_&RZ3)O(* 6"J:_I>"J[F-]']Y>)A"8^P``````````
end

I too am interested in this capability… any comments on this topic are
appreciated.

Chris

Posted at Nginx Forum:

are you talking about SNI?

nginx can handle this
http://nginx.org/en/docs/http/configuring_https_servers.html#sni

Posted at Nginx Forum:

On 06/02/13 17:24, Primoz Bratanic wrote:

Hi,

Apache supports specifying multiple certificates (different types) for same
host in line with OpenSSL support (RSA, DSA, ECC). This allows using ECC key
exchange methods with clients that support it and it’s backwards compatible.
I wonder how much work would it be to add support for this to nginx. Is it
just allowing specifying 2-3 certificates (and checking they have different
key type) + adding support for returning proper key chain or are the any
other obvious roadblocks (that are not obvious to me).

Here’s a first stab at a patch. I hope this is a useful starting point
for getting this feature added to Nginx.

To specify an RSA cert plus an ECC cert, use…
ssl_certificate my_rsa.crt my_ecc.crt;
ssl_certificate_key my_rsa.key my_ecc.key;
ssl_prefer_server_ciphers on;
Also, configure ssl_ciphers to prefer at least 1 ECDSA cipher and permit
at least 1 RSA cipher.

I think DSA certs should work too, but I’ve not tested this.

Issues I’m aware of with this patch:

• It doesn’t check that each of the certs has a different key type
  (but perhaps it should). If you specify multiple certs with the same
  algorithm, all but the last one will be ignored.

• The certs and keys need to be specified in the correct order. If
  you specify “my_rsa.crt my_ecc.crt” and “my_ecc.key my_rsa.key”, Nginx
  will start but it won’t be able to complete any SSL handshakes. This
  could be improved.

• It doesn’t add the new feature to mail_ssl_module. Perhaps it
  should.

• The changes I made to ngx_conf_set_str_array_slot() work for me,
  but do they break anything?

• An RSA cert and an ECC cert might well be issued by different CAs.
  On Apache httpd, you have to use SSLCACertificatePath to persuade
  OpenSSL to send different Intermediate certs for each one.
  Nginx doesn’t currently have an equivalent directive, and Maxim has
  previously said it’s unlikely to be added [1].
  I haven’t researched this properly yet, but I think it might be possible
  to do “certificate path” in memory (i.e. without syscalls and disk
  access on each certificate check) using the OpenSSL X509_LOOKUP API.

• I expect Maxim will have other comments.

[1] Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

Hello!

On Thu, Oct 17, 2013 at 03:07:00PM +0100, Rob Stradling wrote:

Hmmm, I guess I should’ve posted this to nginx-devel. Reposting…

Answered there.

–
Maxim D.
http://nginx.org/en/donation.html

Hmmm, I guess I should’ve posted this to nginx-devel. Reposting…

On 17/10/13 15:05, Rob Stradling wrote:

Is it
ssl_certificate_key my_rsa.key my_ecc.key;
(but perhaps it should). If you specify multiple certs with the same
but do they break anything?

• I expect Maxim will have other comments.

[1] Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

–
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

Updating patch for the last nginx isn’t a problem - we need to hear from
Maxim what was the problem with old patch (it wasn’t applied that time -
why should by applied a new one?) to fix it.

On Mon, Oct 6, 2014 at 10:25 PM, [email protected] [email protected]

calling all patch XPerts !
calling all patch XPerts !
is anybody out there able to update patch support for the latest nginx ?

Hello!

On Tue, Oct 07, 2014 at 11:31:56AM +0400, kyprizel wrote:

Updating patch for the last nginx isn’t a problem - we need to hear from
Maxim what was the problem with old patch (it wasn’t applied that time -
why should by applied a new one?) to fix it.

http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004475.html

–
Maxim D.
http://nginx.org/

Maxim D. wrote:

Hello!

On Tue, Oct 07, 2014 at 11:31:56AM +0400, kyprizel wrote:

Updating patch for the last nginx isn’t a problem - we need to hear from
Maxim what was the problem with old patch (it wasn’t applied that time -
why should by applied a new one?) to fix it.

[PATCH] RSA+DSA+ECC bundles

ok, so what is the plan for progression & inclusion ?
do you believe there is enough interest and is the idea supported ?
you think Rob’s patch isn’t feasible ?
is there anybody who can take over and have they ?

It would be great if the official nginx had support for multiple
certificates.

Some bigger sites are already deploying ECDSA certificates. To be able
to
support older clients while using ECDSA we need multi certificate
support.

Posted at Nginx Forum:

Hi,
I refactored Robs code so it can be merged with latest nginx.
Multi certificate support works only for OpenSSL >= 1.0.2.
Only certificates with different crypto algorithms (ECC/RSA/DSA) can be
used b/c of OpenSSL limitations, otherwise (RSA+SHA-256 / RSA-SHA-1 for
example) only last specified in the config will be used.
Can you please review it.

Thank you.