Hi Nenad, On Tue, Jul 07, 2015 at 10:00:17PM +0200, Nenad Merdanovic wrote: > Clients that support ECC cipher suites SHOULD send the specified extension > within the SSL ClientHello message according to RFC4492, section 5.1. We > can use this extension to chain-proxy requests so that, on the same IP > address, a ECC compatible clients gets an EC certificate and a non-ECC > compatible client gets a regular RSA certificate. The main advantage of this > approach compared to the one presented by Dave Zhu on the mailing list > is that we can make it work with OpenSSL versions before 1.0.2.
That looks pretty good and I like the principle which reminds me a bit what we started to do some time ago to process the SNI for example. I'm having one minor comment though : > +req.ssl_ec_ext : boolean > +req_ssl_ec_ext : boolean (deprecated) The deprecated req_ssl_* keywords were for compatibility with historic versions and should not be introduced right now, so I'd rather not add it now to remove it in next version. If you're OK with me removing it by hand I can fix it myself, but if you prefer to resubmit that's fine as well. Just let me know! Thanks, Willy
