Hi, >De : [email protected] [[email protected]] de la part >de Maxim Dounin ... >Date d'envoi : lundi 13 avril 2015 13:46 >À : [email protected] >Objet : Re: Multiple Cert support ... > >Hello! > >On Thu, Apr 09, 2015 at 04:49:06PM +0000, Filipe DA SILVA wrote: >> Hi Maxim. >> >> Thanks for the return. >> >> I bet you are talking about this API: >> https://github.com/openssl/openssl/commit/0f78819c8ccb7c526edbe90d5b619281366ce75c > >Yes. > >> Should the compatibility with old OpenSSL versions before 1.0.2 remain ? > >For sure - we currently support OpenSSL 0.9.7 and newer. > >But we don't need to support multiple certs with versions before >OpenSSL 1.0.2. Just an appropriate error if user tries to >configure this would be enough. > >(Just in case, there are two basic problems in older versions: > no way to specify a chain for each certificate,
AFAIK, it's still not possible to separate its. Internally, the code is rebuilding a trust chain on each verification . See it when I wrote and debug a patch about client-verification using delegated CRL. > and no way to find >out the certificate used for a connection as needed for OCSP >stapling). This point was fixed by the commit mentioned previously. >> A good solution would be to keep directly a list of OCSP_CERTID >> in the stapling context. >> Instead of keeping reference to cert/issuer certificates. > >I think we should attach stapling details to certificates. > Great idea ! Using X509_set_ex_data/X509_get_ex_data greatly simply the code. Work is in progress. Regards, Filipe da Silva _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
