Proposal: multiple certificates deployment for a single domain

[tokers]

Background

As is known to all, ECC (Elliptic Curve Cryptography) certificate has several advantages than RSA certificate, like smaller key size. The speed of SSL handshake on the server side will be better if we can use the ECC certificate.

Nevertheless, some browsers may not recognize the ECC certificate, so if someone migrated his/her certificate from RSA to ECC, compatibility broken might occur.

Solution

Let's try to deploy multiple certificates for a single domain, depending on the cipher suites that client sent, apisix can select and send the most appropriate certificates.

Technically, OpenSSL's related APIs like SSL_use_certificate, SSL_use_PrivateKey, can be called duplicately for a single SSL session, the certificate selection will be done under the hood.

References

• https://www.leaderssl.com/articles/345-what-is-ecc-and-why-you-should-use-it
• https://imququ.com/post/ecc-certificate.html

[moonming]

sounds great. We need also update ssl_ciphers in nginx.conf too.

@tokers welcome PR:)

[tokers]

@moonming I will try. Since i'm not familiar with the internal of APISIX, it may take a long while. Anyway, i will synchronize the progress here.

[moonming]

@tokers If you have any questions, feel free to discuss with us, looking forward for your PR

[membphis]

@tokers any news?

[tokers]

I'm so sorry that i almost forgot this thing... 😂, i will start to do it once i have enough time.

[spacewander]

Look like this can be closed now?

[tokers]

@spacewander Yeah, the corresponding PR was merged.