Status of dual certificate support

Albert Casademont albertcasademont at
Sun Feb 21 21:08:35 UTC 2016

It would be great if these patches were merged upstream!

On Sunday, 21 February 2016, ToSHiC <toshic.toshic at> wrote:

> Hello,
> We are using patches from here:
> in production since 20th of December 2015.
> We've made 2 certificates: EC+SHA2 signature for new browsers and RSA+SHA1
> signature for old ones. We assume that all browsers that supports EC certs
> does support SHA2 certs signature. Monitoring of bad SSL connections from
> nginx' error.log shows no additional errors so we think our assumption is
> correct. Certificate election mechanism is based on cipher suites from
> ClientHello and unfortunately there is no certificate signature type in
> cypher suite string.
> If you'll try to make the same configuration you need to force server
> cipher suites over clients, and carefully place ECDSA before RSA. To check
> if everything works fine use openssl s_client utility with -cipher options.
> RSA should be enabled only if ECDSA is not present in client ciphers.
> To monitor proper certificate usage in production we use ssl_cipher
> variable. Additioanlly we've added variable with currently used server
> certificate serial number, just to be sure. Our logs shows that in December
> ~20-25% of clients have used RSA certificate in our configuration.
> Please feel free to contact me if you have any questions.
> Regards,
> Anton Kortunov.
> On Sun, Feb 21, 2016 at 1:58 PM, Jonathan Horn <jonathan at
> <javascript:_e(%7B%7D,'cvml','jonathan at');>> wrote:
>> Hi all,
>> I wanted to know what the current status is to get dual certificate
>> support into nginx.
>> I saw that there have been some patches in March and April last year,
>> but with no indication why the final version in April hasn't been merged.
>> Is there any work currently done on bringing this into nginx? Or is some
>> other feature development currently blocking this? Is there something
>> else that I can help with to get that support into nginx?
>> Jonathan Horn
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at
>> <javascript:_e(%7B%7D,'cvml','nginx-devel at');>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx-devel mailing list