Re: [PATCH] allow to use engine keyform for server private key

For example, the testing steps for ubuntu user "nx" with nginx > openssl > engine_pkcs11 > softhsm: 1) -install softhsm (apt-get install softhsm); -edit config (/etc/softhsm/softhsm.conf with: "0:/home/nx/slot0.db"); -init token (softhsm --init-token --slot 0 --label "NginxZero"); 2) -inst

Re: [nginx] Updated OpenSSL used for win32 builds.

Hello! On Tue, Oct 28, 2014 at 03:03:21PM -0700, Piotr Sikora wrote: > Hey Maxim, > > > Updated OpenSSL used for win32 builds. > > Uhm, committing this before merging my patch [1] broke > password-protected private keys (using multiple passwords in the same > ssl_password_file feature) on win32

Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

On Oct 28, 2014, at 12:38 AM, Piotr Sikora wrote: > Also, I think that PKCS#12 support should be added in a separate > commit, instead of mixing it with semi-related fix. How so? It is not about adding error handling support for yet another format, because it was already there but was broken for

NGINX Persistent Connection Limit Value

Hi Folks, Provided the scalable architecture we have today, Is it possible that we may hit the connection limit issue using the persistent connection flags like the keepalive_timeout/keepalive_requests due to too many open connections? Thanks, Jagannath _

Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

On Oct 29, 2014, at 9:09 PM, Sergey Kandaurov wrote: > On Oct 28, 2014, at 12:38 AM, Piotr Sikora wrote: >> Also, I think that PKCS#12 support should be added in a separate >> commit, instead of mixing it with semi-related fix. > > How so? It is not about adding error handling support for yet

Re: NGINX Persistent Connection Limit Value

Hello! On Wed, Oct 29, 2014 at 11:45:11PM +0530, Das, Jagannath wrote: > Hi Folks, > Provided the scalable architecture we have today, Is it > possible that we may hit the connection limit issue using > the persistent connection flags like the > keepalive_timeout/keepalive_

Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Hey Sergey, > How so? It is not about adding error handling support for yet another format, > because it was already there but was broken for the same reason after 1.0.1j. Oh, I see. I misread your original comment and I thought you were adding support for it. > Below is an updated patch with fi

Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Hey Sergey, > Alternatively, remove error collection that doesn’t really make much sense. > It’s an open set and we cannot predict for sure all of them enumerated. That's also a valid approach, but the commit is wrong. > # HG changeset patch > # User Sergey Kandaurov > # Date 1414150080 25200 >

Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Hi Sergey, Are you also looking to have a fix for the POODLE vulnerability? Thanks, Jagannath From: Sergey Kandaurov mailto:pluk...@nginx.com>> Reply-To: "nginx-devel@nginx.org" mailto:nginx-devel@nginx.org>> Date: Wednesday, October 29, 2014 at 11:39 PM To: "ng

Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Hi, > Are you also looking to have a fix for the POODLE vulnerability? The only fix for the POODLE vulnerability is to disable SSLv3 (I'm going to send a patch for that in a moment). However, if you meant TLS_FALLBACK_SCSV, then it's not needed, because nginx doesn't do "downgrade dance". Best

[PATCH] SSL: don't enable SSLv3 by default

# HG changeset patch # User Piotr Sikora # Date 1414642398 25200 # Wed Oct 29 21:13:18 2014 -0700 # Node ID bf17486e5d30574b870926b76c1d6f421e4def75 # Parent 87ada3ba1392fadaf4d9193b5d345c248be32f77 SSL: don't enable SSLv3 by default. Prodded by Jagannath Das. Signed-off-by: Piotr Sikora