Hi, Brandon. Shorten (by myself) answer from nginx guys , i received at beginning of May: "...(this) is work in process already, ... hope it will be finished in May."
Regards, FDS >> Le 14 mai 2016 à 17:22, Brandon Black <bbl...@wikimedia.org> a écrit : >> >> On Tue, Aug 18, 2015 at 2:31 PM, Brandon Black <bbl...@wikimedia.org> wrote: >> Hi all, >> >> The Wikimedia Foundation has been running nginx-1.9.3 patched for >> multi-certificate support for all production TLS traffic for a few >> weeks now without incident, for all inbound requests to Wikipedia and >> other associated projects of the Foundation. > > [... http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007225.html > for full text] > > Bump! > > We're still running these patches for all Wikimedia sites (including > Wikipedia) to serve dual ECDSA+RSA certificates. There was some > feedback from some of the original author(s) privately back at the > time of my last post on this in Aug 2015, but no real progress on > making newer/better patches and no upstream feedback from nginx.org > AFAIK so far. > > We had stalled out on nginx version updates at Wikimedia for a while. > We stalled at 1.9.4 for months due to the SPDY-v-HTTP2 switch and > real-world client support stats, etc. Eventually the stats on the > switch got better as we approached the May 15 Chrome SPDY cutoff ( > https://phabricator.wikimedia.org/T96848#2251633 ). On May 4th, we > made the switch to nginx-1.10.0 with HTTP/2 support in place of SPDY, > and thus we've now also published updated dual-cert patches. > > So for anyone who's still pulling in these patches manually, the > correct diffs against 1.10.0 are now available as the 100x series at: > https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.10.0-1/debian/patches > . > > These patches have been working fine for us functionally on a very > large traffic site with a very broad mix of client UAs, with external > OCSP Stapling files, for several months. I'd still like to get a > conversation going on how we can get this support merged into upstream > nginx, perhaps during 1.11.x? What is this patch series missing in > terms of feature support, code quality, etc, to get into a mergeable > state? > > Thanks, > -- Brandon Black > Sr Operations Engineer > Wikimedia Foundation > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
