On Mon, May 11, 2020 at 04:34:07PM +0200, William Dauchy wrote: > > I'm going to remove the support for multi-cert bundle once 2.2 is > > released, so it will simplify a lot of things. I encourage people > > writing new features to not support multi-cert bundles, more > > particularly on the CLI. > > So you mean that > example.pem.rsa > example.pem.ecdsa > will be loaded separately as all the other certificates? > I'm not 100% sure what you meant behind removing support of "multi-cert > bundle".
What we call "multi-cert bundle" is the ability to load a certificate for each key type (RSA,DSA,ECDSA) in the same SSL_CTX. It was a hack implemented this way for OpenSSL 1.0.2 because there wasn't any callback available to chose a certificate type in this version. It wasn't implemented by all other SSL libraries. With OpenSSL 1.1.1, a client_hello callback was implemented, letting us chose the certificate type ourselves instead of letting OpenSSL do it. In my opinion this API is better. The multi-cert bundles are tricky and need specific conditions everywhere in the loading code. It complexify a lot of things. For example the loading code needs to verify if all SNIs exists in all certificate types, and generates the right SSL_CTX combinations, leading to multiple SSL_CTX created if the SNI weren't matching. By removing, it just means: - In the case of a directory there is basicaly nothing to do but remove the bundle code, everything will be loaded as usual, it will just be done in separate SSL_CTX. - In the configuration, if you specify a bundle with "example.pem" to load the .rsa and .ecdsa, I'll probably add a shim to emulate the previous behavior, but they will be loaded in separate SSL_CTX. Regarding the steps during the connection, during the SNI lookup, instead of having one sni_ctx node containing a SSL_CTX with all certificates, you will have one sni_ctx for each certificate type and the right one will be selected during lookup. Note that you can configure more precisely the SSL, for each certificate file, by loading separately the certs in a crt-list, instead of configuring all certificates on the bind line. -- William Lallemand
