0

In one article I read that Openssl 1.0.2 allows you to select the certificate, depending on client configuration. For example Windows XP early SP2 does not support ECC certificate. for this server will return one certificate and other certificate for modern OS.

I can`t find a description of the this technology. Does any web server support it?

Dmitry Gorozhanin
  • 153
  • 7
  • Are you referring to [Server Name Indication](http://serverfault.com/q/109800/126632)? – Michael Hampton Sep 30 '15 at 07:07
  • No. Choose server certificate based on client supported chipers – Dmitry Gorozhanin Sep 30 '15 at 07:21
  • Perhaps it would help if you told us exactly what you were reading. – Michael Hampton Sep 30 '15 at 07:22
  • Of course, but the article in Russian http://habrahabr.ru/company/yandex/blog/249771/ – Dmitry Gorozhanin Sep 30 '15 at 07:25
  • 1
    I think you are talking about: `К сожалению, Windows XP < SP3 и некоторые другие браузеры, доля которых среди клиентов больших сайтов отлична от нуля, не поддерживают ECC сертификатов. Решением может стать использование разных сертификатов для разных клиентов, что позволит экономить ресурсы за счет более новых клиентов, которых большинство. Openssl версии 1.0.2 позволяет выбрать сертификат сервера в зависимости от параметров клиента. К сожалению, пока Nginx «из коробки» не позволяет использовать несколько сертификатов для одного сервера.` The article does not give a solution that I can find. – Michael Hampton Sep 30 '15 at 07:31
  • But it's probably not worth bothering unless you are as big as Yandex. Nobody should still be using Windows XP, and if they are, they should have installed SP3 years ago. – Michael Hampton Sep 30 '15 at 07:32
  • XP – Dmitry Gorozhanin Sep 30 '15 at 07:43
  • Related: SF: [How do I configure Windows for dual certificates, ECDSA with RSA fallback?](https://serverfault.com/questions/707250/how-do-i-configure-windows-for-dual-certificates-ecdsa-with-rsa-fallback) (Mentions Apache, IIS, Nginx) – StackzOfZtuff Sep 30 '15 at 09:21

1 Answers1

2

You're referring to this bit in the linked article (here, translated to English):

OpenSSL version 1.0.2 allows you to select the server certificate based on the parameters of the client. Unfortunately Nginx out of the box does not allow the use of multiple certificates for a single server.

This appears to be referring to the following OpenSSL feature, added in 1.0.2:

*) Add certificate callback. If set this is called whenever a certificate is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear an existing certificate and specify the whole chain. [Steve Henson]

So far I can find no evidence that nginx supports this functionality, nor of any unofficial patches. Nor, from a quick look, did I find anything relevant for Apache or any other web server. I am sure it will be added eventually, but if you really need this soon, I would suggest asking on the nginx mailing list.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940