Hello! On Fri, May 08, 2020 at 07:53:18PM +0000, Пичулин Дмитрий Николаевич wrote:
> I dipped into the problem and came to the conclusion that this > proposal cannot be used as a general one. > > First, although the ctrl number could be passed in the directive > itself, for example "engine:pkcs11:205:slot_0-id_00", where 205 > corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 + > 5), the argument "params" is too specific for this command, in > fact, it is a binding to a specific non-extensible interface of > a particular ENGINE command. > > Secondly, this binding to a bad interface actually, which is not > able to return the certificate chain, CMD_LOAD_CERT_CTRL returns > only the leaf certificate. > > Therefore, I do not see how this can be used outside of pkcs11 > ENGINE and I do not see how this can be used in a production > without a certificate chain. Thanks for the review, appreciated. A possible use case might be to use it for proxy_ssl_certificate, but I agree that this looks very limited and at most optional. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
