Re: Dual Certificate (RSA and ECC) support

This patches are pretty stable (except you can't use different OCSP responders for SHA1 and SHA256 certs and use different ssl_stapling_files). https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.9.3-1/debian/patches On Fri, Feb 5, 2016 at 11:17 PM, Jon Emord

Re: [PATCH] Multiple certificate support with OpenSSL = 1.0.2

mdou...@mdounin.ru wrote: Hello! On Tue, Mar 17, 2015 at 09:38:42PM +0300, kyprizel wrote: Sure it should be tested (there are can be some memory leaks). Need to know if it's idologically acceptable. I've provided some comments in the reply to your off-list message. -- Maxim Dounin

Re: [calling all patch XPerts !] [PATCH] RSA+DSA+ECC bundles

in the config will be used. Can you please review it. Thank you. On Tue, Oct 7, 2014 at 5:03 PM, shm...@riseup.net shm...@riseup.net wrote: Maxim Dounin wrote: Hello! On Tue, Oct 07, 2014 at 11:31:56AM +0400, kyprizel wrote: Updating patch for the last nginx isn't a problem - we need

Re: nginx + LibreSSL + ECDSA cert = Error

wrong curve? On Tue, Mar 10, 2015 at 1:27 PM, thegrandch...@gmx.de wrote: Hi, this time not stupidly formatted ;): I compiled nginx 1.7.10 + LibreSSL 2.1.4, but am not able to use ECC certificates. nginx -V: nginx version: nginx/1.7.10 built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI

Re: Slow downloads over SSL

Make a pcap, check packet loss/mtu/window size. On Wed, Feb 4, 2015 at 8:54 PM, B.R. reallfqq-ng...@yahoo.fr wrote: Nothing in the configuration part you provided rings any bell to me on why this is going on. I suggest you take a deeper look at the server level, see if there is not

Re: [calling all patch XPerts !] [PATCH] RSA+DSA+ECC bundles

Updating patch for the last nginx isn't a problem - we need to hear from Maxim what was the problem with old patch (it wasn't applied that time - why should by applied a new one?) to fix it. On Mon, Oct 6, 2014 at 10:25 PM, shm...@riseup.net shm...@riseup.net wrote: calling all patch XPerts !

Re: Session Ticket Rotation

What about sharing keys b/w the physical instances? On Mon, Sep 22, 2014 at 3:39 PM, Richard Fussenegger, BSc rich...@fussenegger.info wrote: I'd like to implement built-in session ticket rotation. I know that it this was discussed before but it was never implemented. Right now a custom

Re: Can't get https to work

Try to use 192.168.1.102:443. On Wed, Aug 27, 2014 at 1:40 AM, Matthew Ngaha chigga...@gmail.com wrote: I'm trying Nginx with Django on my localhost. I Include a django.conf in my main nginx.conf and in this included conf the server listens for both http https and sends either requests

Re: nginx Segmentation fault

No, it does not help. The problem somewhere in body reading/processing. On Wed, Jun 4, 2014 at 8:10 PM, Andrei Belov de...@nginx.com wrote: Not yet. Quick look makes me think that client_body_in_file_only on; might help. -- defan On 04 июня 2014 г., at 19:58, kyprizel kypri...@gmail.com

Re: nginx Segmentation fault

I think this bug was fixed in nginx_refactoring tree. On Wed, Jun 4, 2014 at 7:00 PM, Robert Paprocki rpapro...@fearnothingproductions.net wrote: Can you post a full core dump? Did you verify the mod_security tarball you downloaded? Can detail the steps taken to build that module? What

Re: nginx Segmentation fault

Andrei, have you checked issue 630? https://github.com/SpiderLabs/ModSecurity/issues/630 On Wed, Jun 4, 2014 at 7:12 PM, Andrei Belov de...@nginx.com wrote: Hi, there is a lot of open issues with ModSecurity and nginx:

Re: openssl 1.0.1 and tls1.1 and up

I think the problem is your nginx uses libssl version from your OS (0.9.8/1.0.0). On Wed, Apr 16, 2014 at 4:08 PM, B.R. reallfqq-ng...@yahoo.fr wrote: Rather than posting raw outputs, try to understand the piece orf advice Maxim gave to you. I suspect those SSL-validation websites test

Re: SSL session cache lifetime vs session ticket lifetime

Will this patch be applied to mainline? On Thu, Mar 27, 2014 at 8:23 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Wed, Mar 26, 2014 at 01:34:19PM +0400, kyprizel wrote: will be log_alloc_failures better? I think something like log_nomem will be good enough. Patch: # HG

Re: SSL session cache lifetime vs session ticket lifetime

something like this? On Tue, Mar 18, 2014 at 8:00 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Tue, Mar 18, 2014 at 03:42:33PM +0400, kyprizel wrote: What will be the best way to do it? Probably a flag in ngx_slab_pool_t will be good enough. On Tue, Mar 18, 2014 at 3:33

Re: SSL session cache lifetime vs session ticket lifetime

What will be the best way to do it? On Tue, Mar 18, 2014 at 3:33 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Tue, Mar 18, 2014 at 03:26:10PM +0400, kyprizel wrote: Hi, currently SSL session lifetime and SSL ticket lifetime are equal in nginx. If we use session tickets

Re: [PATCH] SSL: ssl_stapling_valid directive

+0400, kyprizel wrote: In some cases we need to vary period after OCSP response will be refreshed. By default it was hardcoded to 3600 sec. This directive allows to change it via config. In which some cases? The directive was ommitted intentionally to simplify things as it seems

Re: [PATCH] SSL: ssl_stapling_valid directive

mdou...@mdounin.ru wrote: Hello! On Mon, Jan 13, 2014 at 07:04:11PM +0400, kyprizel wrote: So, you going to leave 3600 hardcoded there? Yes, unless you have some better reasons to make it configurable. On Mon, Jan 13, 2014 at 6:51 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello

Re: [PATCH] SSL: ssl_stapling_valid directive

warning). If he can't access it at all seeing something like OCSP response invalid - he doesn't know what to do. On Mon, Jan 13, 2014 at 8:12 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Mon, Jan 13, 2014 at 07:45:29PM +0400, kyprizel wrote: The reason is quite easy - most responders

Re: [PATCH] SSL: ssl_stapling_valid directive

: Hello! On Mon, Jan 13, 2014 at 08:23:46PM +0400, kyprizel wrote: This looks like a very-very wrong way to address the problem. Instead of resolving the problem it will hide it on some requests (but not on others), making the problem harder to detect and debug. Once user can access

[PATCH] SSL: ssl_stapling_valid directive

In some cases we need to vary period after OCSP response will be refreshed. By default it was hardcoded to 3600 sec. This directive allows to change it via config. Also, there were some kind of bursts when all the cluster nodes and nginx workers go to update their OCSP staples - random delay

Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).

I mean, if something goes wrong while ticket file copying - nginx still should function, no b/c it's not essential thing? On Mon, Dec 23, 2013 at 9:14 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Mon, Dec 23, 2013 at 07:54:01PM +0400, kyprizel wrote: Do we really should fail

Problem with TLS handshake in some browsers when OCSP stapling enabled

Hi, we got a problem with OCSP stapling. During the handshake some browsers send TLS extension certificate status with more than 5 bytes in it. In Nginx error_log it looks like: [crit] 8721#0: *35 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).

If we have multiple keyfiles - I like the idea of marking some key as default. On Wed, Oct 2, 2013 at 12:47 PM, Piotr Sikora pi...@cloudflare.com wrote: Hello Maxim, As previously noted, the patch description is wrong. It also make sense to add some description of the directive added.

Re: Distributed SSL session cache

Ok, I don't insist - I just need the functionality. What should I do to get my patch accepted? :) 1. Store key as bin 2. Separate files On Mon, Sep 30, 2013 at 10:00 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Mon, Sep 30, 2013 at 08:15:34PM +0400, kyprizel wrote: $ openssl rand

Re: Distributed SSL session cache

in printable characters. On Mon, Sep 30, 2013 at 6:50 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote: On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora pi...@cloudflare.com wrote: Hi, My patch was designed not to use multiple

Re: Distributed SSL session cache

of mistake during nginx config parsing. On Mon, Sep 30, 2013 at 7:31 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Mon, Sep 30, 2013 at 07:14:59PM +0400, kyprizel wrote: $ openssl rand -base64 48 | awk '{print -BEGIN SESSION TICKET KEY-; print; print -END SESSION TICKET KEY

Re: Distributed SSL session cache

On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora pi...@cloudflare.com wrote: Hi, My patch was designed not to use multiple keyfiles and keynames in nginx config so it's able to rotate keys with simple logic, only updating keyfile. IMHO, that makes the key rollover much harder than it

Re: Distributed SSL session cache

Piotr, are we talking about session tickets ( http://tools.ietf.org/html/rfc4507) ? On Mon, Sep 16, 2013 at 12:30 PM, Piotr Sikora pi...@cloudflare.com wrote: Hello, SSL session tickets are not good enough b/c they don't support modern cipher modes (like GCM) and they don't work with PFS.

Re: Distributed SSL session cache

. As an alternative (and I don't like this idea) - we can distribute sessions to nginx cache via custom-written module, something like it's done in stud. On Sat, Sep 14, 2013 at 11:06 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Sat, Sep 14, 2013 at 02:49:49PM +0400, kyprizel wrote: Hi

Distributed SSL session cache

Hi, I'm thinking on design of patch for adding distributed SSL session cache and have a question - is it possible and ok to create keepalive upstream to some storage (memcached/redis/etc), then use it from ngx_ssl_new_session/ngx_ssl_get_cached_session ?