Thanks for your reply, Maxim! I'll work out an alternative then. Re. session resumption, I read in the OpenSSL docs (https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html) that OpenSSL is willing to store the chain longer than a single request, but only if the implementing application (nginx) is managing freeing it at the proper time (eg. when the session times out): > If applications wish to use any certificates in the returned chain indefinitely they must increase the reference counts using X509_up_ref() or obtain a copy of the whole chain with X509_chain_up_ref().
ps. I now see that HAProxy is also discussing it: https://www.mail-archive.com/[email protected]/msg35607.html Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288553,288596#msg-288596 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
