On 11/19/2016 04:13 PM, Jeremy Harris wrote: > On 13/11/16 18:35, Torsten Tributh wrote:
>> Is there a plan to support the feature of OPENSSL 1.1.0 to support
>> multiple certificates?
> Multiple certificates to be used for what purpose? To support encryption with RSA when ECDSA fails.
A lot of servers must be forced to connect to the second server with RSA
with iptables rules. They try a TLS connection and if it fails they will
repeat
unending to reconnect to the same host.
I want to prevend this situation with iptables needed.
>
>> I am using ECDSA for my primary Mail server and the still needed
>> RSA-Cert for the secondary.
>> There are still some Servers which are unable to negotiate encryption
>> and in a case of a failure to connect on their own to the second server.
> I didn't quite follow that. You're saying there are some MTAs out there
> which won't connect to a server which uses an ECDSA certificate, and
> because of this you are running a secondary server with an RSA
> certificate?
>
> And you'd like to consolidate into a single server with two certs?
> How would it know which of the two to present?
> Both. You have Cert with exactly the same list of hostname included.
One is ECDSA and the other is RSA. You make a longer cipher list,
where you can mix ECDSA and RSA ciphers. The clients becomes the Cert
which combines with the first cipher.
Samples and explanations are better given from the NGINX community.
There it is already in use to support double certificates.