httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Mon, 14 Oct 2013 16:28:58 GMT
On 14.10.13 10:51, Rob Stradling wrote:
> Kaspar, I don't think data from 2010 (or even data from today) should be 
> assumed to be a reliable indicator of future use of non-RSA certs on 
> public sites.

"Past performance is not indicative of future performance", as they use
to say in other industries, yes. Did the situation with Certicom's
licensing terms for ECC cert issuance change recently?

> AFAICT, interest (amongst the commercial CAs) in ECC certs continues to 
> grow.  Since a significant proportion (I estimate ~20%) of deployed 
> clients will accept RSA server certs but not ECC server certs, I think 
> that configuring both an ECC cert and an RSA cert on a single vhost may 
> yet become popular!

I'm not saying we should no longer support multiple certs per vhost (in
fact, with my PoC patch, you can send as many certs to OpenSSL if you
increase SSL_AIDX_MAX - though OpenSSL currently can't really cope with
it)... what I'm saying is that I don't see a need for an additional
per-cert directive. To support the "current cert" concept of OpenSSL for
the SSL_CTX calls, we just need to make sure that we're applying the
OpenSSLConfCmd directives (ServerInfoFile etc.) at the proper place.


View raw message