#809 Allow parallel RSA and ECDSA certificates

Reporter Peter Linss
Owner Nobody
Created
Updated
Stars ★★ (3)
Tags
  • Priority-Medium
  • Type-Enhancement
  • Status-Accepted
  1. Peter Linss on

    Description of feature: ECDSA certificates are now available from several CAs (including Let's Encrypt), please add support for configuring both RSA and ECDSA certificates to allow incoming connections to negotiate for the certificate type they support. See Apache, Nginx, and Postfix for examples.

  2. Zash on

    This most likely needs support in LuaSec first, seehttps://github.com/brunoos/luasec/issues/27

    Changes
    • tags Status-Blocked
  3. Zash on

    This most likely needs support in LuaSec first, see https://github.com/brunoos/luasec/issues/27

    Changes
    • tags
  4. Daniel Kenzelmann on

    Issue with luasec was resolved with https://github.com/brunoos/luasec/pull/133

  5. Zash on

    Great! Could anyone test whether this works with Prosody? Should be something like this: ssl = { certificate = 'certs/example.com.rsa.crt', key = 'certs/example.com.rsa.key', certificates = { { certificate = 'certs/example.com.ec.crt', key = 'certs/example.com.ec.key', }, }, }

    Changes
    • tags Status-Blocked Status-NeedInfo
  6. Winfried on

    Does not work. Also tried like this: ssl = { certificates = { { certificate = 'certs/example.com.ec.crt', key = 'certs/example.com.ec.key', }, { certificate = 'certs/example.com.rsa.crt', key = 'certs/example.com.rsa.key', }, }, } It only finds the key in the highest level 'certificate' & 'key' statement.

  7. Daniel Kenzelmann on

    Did you try with the git version of luasec? It just was committed 13 days ago and there has not been a luasec release yet.. (should have clarified that in my comment, sorry)

  8. Winfried on

    Yes I did (in matter of fact, finding out how to get it on my server was most of the job).

  9. Zash on

    Seems like the compat code I based the config in comment 5 on wasn't in the finally merged version. So it seems like what Winfried wrote in comment 6 is correct, and I even got that to work once I got LuaSec built from source and actually got it to use the built version. So, now the question is what we do about this, and how it interacts with things like SNI.

    Changes
    • tags Status-NeedInfo Status-Accepted
  10. Winfried on

    Got it working with lua-sec 0.9, prosody 0.11.3 and the config as mentioned in comment 6.

New comment

Not published. Used for spam prevention and optional update notifications.