Opened 7 months ago

Closed 7 months ago

#1375 closed defect (invalid)

Can‘t use parallel ECDSA / RSA certificates in BoringSSL

Reported by: jinham335908093@… Owned by:
Priority: minor Milestone: 1.13
Component: nginx-module Version: 1.13.x
Keywords: BoringSSL, Certificate Cc:
uname -a: Linux a-VirtualBox 4.10.0-33-generic #37~16.04.1-Ubuntu SMP Fri Aug 11 14:07:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.4 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.0.2 (compatible; BoringSSL) (Running with Boringssl) TLS SNI support enabled configure arguments: --add-module=../ngx_brotli --add-module=../nginx-ct-1.3.2 --with-openssl=../openssl --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module


I can‘t use parallel ECDSA / RSA certificates in BoringSSL.It only offers RSA certificate
My config is
server {

listen 443 ssl spdy http2 fastopen=3 reuseport;
listen 80;
#server_name localhost;
server_tokens off;
#charset koi8-r;


#access_log logs/host.access.log main;
#ssl_ciphers ALL;
ssl_stapling on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_certificate cert.pem;
ssl_certificate_key key.pem;
ssl_certificate rsa.pem;
ssl_certificate_key rsa.key.pem;
#2048-bit DH
ssl_dhparam dhparams.pem;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="GrUh1XUYd7h8vyl/831aUltQ3bRKrNYdDFqIaBf8c=";pin-sha256="XMNx6H7vrk+38sOXz3yAeR60fQv14famOgKTZl0c9GU=";max-age=2592000; includeSubDomains';
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
add_header X-Xss-Protection '1; mode=block';
add_header Cache-Control no-cache;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-eval'; img-src 'self'; connect-src 'self'; font-src 'self'; style-src 'unsafe-inline';";
location / {

root html;
index index.html index.htm;


Change History (2)

comment:1 Changed 7 months ago by jinham335908093@…

I add an option to enable TLS 1.3 and weak ciphers

comment:2 Changed 7 months ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

Looking through BoringSSL code suggests that there are no relevant support for multiple certificates in BoringSSL, it was removed in d1d807802. Compile with OpenSSL instead.

Note: See TracTickets for help on using tickets.