Hi, Maxim. I forget about this feature, even if it is mentioned in the patch. The cert chain declared by ssl_certificate/SSL_CTX_extra_chain is sent to the client. But not the list provided by ssl_trusted_certificate.
The patch calls to the SSL_CTX_add0_chain_cert now when available. Regards, Filipe -----Message d'origine----- De : [email protected] [mailto:[email protected]] De la part de Maxim Dounin Envoyé : mardi 14 avril 2015 19:47 À : [email protected] Objet : Re: RE : Multiple Cert support ... Hello! On Tue, Apr 14, 2015 at 05:11:17PM +0000, Filipe DA SILVA wrote: [...] > >But we don't need to support multiple certs with versions before > >OpenSSL 1.0.2. Just an appropriate error if user tries to configure > >this would be enough. > > > >(Just in case, there are two basic problems in older versions: > > no way to specify a chain for each certificate, > > AFAIK, it's still not possible to separate its. > Internally, the code is rebuilding a trust chain on each verification . > See it when I wrote and debug a patch about client-verification using > delegated CRL. The question isn't about trust chains used during client certificate verification, but about chains sent to a client during the SSL handshake. In OpenSSL 1.0.2 there is an extra chain for each algorithm-specific certificate: *) Enhance SSL/TLS certificate chain handling to support different chains for each certificate instead of one chain in the parent SSL_CTX. [Steve Henson] *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): this fixes a limiation in previous versions of OpenSSL. [Steve Henson] See this commits for details: https://github.com/openssl/openssl/commit/f71c6e52f769af0d2d40ed7e1dcb4fff837837a0 https://github.com/openssl/openssl/commit/a4339ea3ba045b7da038148f0d48ce25f2996971 -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
