Would be great to have this in the next nginx release, thanks Brandon! On Tue, Aug 18, 2015 at 4:31 PM, Brandon Black <bbl...@wikimedia.org> wrote:
> Hi all, > > The Wikimedia Foundation has been running nginx-1.9.3 patched for > multi-certificate support for all production TLS traffic for a few > weeks now without incident, for all inbound requests to Wikipedia and > other associated projects of the Foundation. > > We initially used the older March variant of Filipe's patches ( > http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006734.html > ), and last week we switched to using the April 27 variant ( > http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006863.html > ), which is the last known public variant I'm aware of. > > These were in turn based on kyprizel's patch ( > http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006668.html > ), which was based on Rob's patch from nearly two years ago ( > http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html > ). It has a long and colorful history at this point :) > > We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1 > package. Most of the porting was trivial (offsets / whitespace / > etc). There were a couple of slightly more substantial issues around > the newer OCSP Stapling valid-timestamp checking, and the porting of > the general multi-cert work to the newer stream modules. The > ported/updated variant of the patches we're running is available here > in our repo: > > > https://github.com/wikimedia/operations-software-nginx/blob/wmf-1.9.3-1/debian/patches/ > > Our configuration uses a pair of otherwise-identical RSA and ECDSA > keys and an external OCSP ssl_stapling_file (certs are from > GlobalSign, chain/OCSP info is identical in the pair). Our typical > relevant config fragment in the server section looks like this: > > ------------ > ssl_certificate /etc/ssl/localcerts/ecc-uni.wikimedia.org.chained.crt; > ssl_certificate_key /etc/ssl/private/ecc-uni.wikimedia.org.key; > ssl_certificate /etc/ssl/localcerts/uni.wikimedia.org.chained.crt; > ssl_certificate_key /etc/ssl/private/uni.wikimedia.org.key; > ssl_stapling on; > ssl_stapling_file /var/cache/ocsp/unified.ocsp; > ------------- > > Obviously, we'd rather get this work (or something similar) upstreamed > so that we don't have to maintain local patches for this indefinitely, > and so that everyone else can use it easily too. I'm assuming the > reason it wasn't merged in the past is there may be other issues > blocking the merge that just weren't relevant to our particular > configuration, or are just matters of cleanliness or implementation > detail. > > I'd be happy to work with whoever on resolving that and getting this > patchset into a merge-able state. Does anyone know what the > outstanding issues were/are? Some of the past list traffic on this is > a bit fragmented. > > Thanks, > -- Brandon > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
