
Nginx 1.15.9 - runesoerensen
http://mailman.nginx.org/pipermail/nginx-announce/2019/000231.html
======
aorth
Oh. So _that 's_ what they meant by "variables support" in the ssl directives.
I didn't realize the significance of that change when I read the changelog
earlier today.

~~~
skrebbel
What is? Looks like the link goes to a changelog and nothing else.

~~~
petercooper
The original title for this item was _" Nginx 1.15.9 adds support for dynamic
certificate loading"_ which explains why this is interesting, but then someone
edited it to the current less useful version ¯\\_(ツ)_/¯

Noticed via
[https://hackernewstitles.netlify.com/](https://hackernewstitles.netlify.com/)

~~~
torvald
> Noticed via
> [https://hackernewstitles.netlify.com/](https://hackernewstitles.netlify.com/)

Of course that's a thing.

------
zorpner
Bear in mind:
[http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_c...](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate)

    
    
        Note that using variables implies that a certificate will be loaded for each SSL handshake, and this may have a negative impact on performance.

Still a great feature. About to significantly simplify a few complex
deployments I'm running.

~~~
uasm
That's a strange disclaimer. There should've been a cache there.

~~~
regecks
Strange and potentially busted, if that interpretation is correct.

What if your ACME client is updating the certificate and private key when an
nginx connection comes in?

You can't atomically update both files, right? So nginx will potentially see a
mismatched key and certificate?

:\

I hope it's guarded by SIGHUP, like sibling comment suggests.

~~~
daenney
You don't need to atomically replace 2 files. Renewing the certificate does
not entail changing the private key, so unless you toss away the private key
yourself you won't get a mismatched key and certificate situation.

It only needs to update the certificate, a single operation, which can be done
atomically. Certificates are also renewed ahead of time so a previous
connection still having the old cert is not an issue.

~~~
scurvy
Is it still best practice to create a new key on cert renewal? It was just a
few years ago.

------
clon
I cannot find any any information on how this data is sanitized.

    
    
       /safe/path/$hostname.key
       $hostname = ../../etc/some/secret
       /safe/path/../../etc/some/secret.key

~~~
an_account_name
Host headers are transmitted _after_ the ssl handshake.

~~~
duncaen
SNI?

~~~
an_account_name
I read through the codebase and can't assert that _couldn 't_ happen... wasn't
sure if the ngx_http_ssl_certificate callback could be executed after a point
where any of the client-controlled variables from [1] are defined.

[1] -
[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#vari...](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables)

------
subway
Nifty. I've been using ssl_certificate_by_lua_block from the openresty nginx
lua module to accomplish this.

------
arcbyte
So with poll() now available on Windows is nginx ready to drop the beta label
for Windows?

[http://nginx.org/en/docs/windows.html](http://nginx.org/en/docs/windows.html)

------
gregoriol
Why are they still supporting Windows Vista?!

~~~
chemodax
Most likely because of Windows Server 2008: they are almost the same.

