Hello!
On Wed, Sep 10, 2014 at 2:59 PM, Michal Cichra wrote:
> Well. I need it to be multi platform. Because this can be deployed by users,
> it should be
> It is pretty common, that software can get trusted certificates from the OS.
>
It's the default set in OpenSSL. AFAIK, Linux does not have a standard
trusted cert set (though some individual Linux distributions might
have their own).
> I made this patch to nginx
> https://gist.githubusercontent.com/mikz/4ce4307329095114b109/raw/97c68b3f6a4f0a6f87fe8f1b7005f19484378fcc/gistfile1.diff
> that seems to work.
>
Well, you could propose this patch (or something polished) to the
nginx-devel mailing list.
>> I suggest you only load the CA certs you actually need to save runtime
>> overhead.
> It is HTTP client capable of connecting to any server, so it should (lazy)
> load all the trusted certificates from the OS.
> I have no idea how openssl works in the back. If adding CA path has same
> effect like loading all certificates, or if it is lazy loaded.
Use of SSL_CTX_set_default_verify_paths has extra overhead at least in
the memory footprint. For the "TEST 11: www.google.com (SSL verify
passes)" test case in ngx_lua's official test suite, I have the
following memory metrics of the nginx process, as reported by pmap:
mapped: 55840K writeable/private: 1276K (just the used CA cert loaded)
mapped: 58624K writeable/private: 4060K
(SSL_CTX_set_default_verify_paths)
It's nontrivial for some people :)
But I agree it is convenient for many people.
> If I would try to merge it to nginx (probably with a configuration flag),
> would you make the same configuration for lua?
Yes.
Regards,
-agentzh