Any way to allow secure SSL renegotiation?

Perry, William wperry at
Sun Jul 24 23:09:11 UTC 2016

“Secure” meaning using TLS only, RFC5746 style.

I would like to have a module that decides which certificate authorities are valid based on aspects of a request (location, type of authentication required, etc).  Some user populations will require client certificates from one CA, others from another, and others will not use client certificates at all.  Specifying SSL client certificates as ‘optional’ for the entire server is not exactly a great user experience, and I would prefer not to send the trusted CAs for all user populations to every user.

Currently works in Apache and mod_ssl with some extra protections to only allow renegotiation to be triggered by the server, but I want to get NGINX handling all of the TLS traffic.

Has anyone come up with a relatively simple patch to allow NGINX to start the renegotiation process?  Figured I would check before reinventing the wheel.

-Bill Perry

More information about the nginx-devel mailing list