Trouble with ssl_verify_client option

Maxim Dounin mdounin at
Sat Nov 6 05:06:53 MSK 2010


On Fri, Nov 05, 2010 at 11:28:33PM +0100, Luit van Drongelen wrote:

> On Fri, Nov 5, 2010 at 1:14 AM, Luit van Drongelen <me at> wrote:
> > Am I expecting the wrong things here, or is server-specific
> > ssl_verify_client setting broken here?
> My case further simplified:
> http { server { listen: 443; ssl on; ssl_verify_client optional;
> certificate and key stuffs; }} # DOESN'T WORK
> vs.
> http { ssl_verify_client: optional; certificate and key stuffs;
> server{listen: 443; ssl: on; }} # WORKS FINE
> This is the same for ssl_verify_client: on, where the "doesn't work"
> means it'll just stop any request.
> So are my expectations of ssl_verify_client wrong, or would this be a bug?

Directive ssl_verify_client works correctly only on 
per-ssl-connection basis (as well as ssl_certificate) as it 
requires client certificate request during ssl handshake.

This means that (unless you have SNI[1] enabled) if you have multiple 
ssl server{}'s listening on the same ip:port pair - you have to 
specify ssl_verify_client identical (or at least somewhat synced) 
for all servers on the ip:port pair in question.


Your simplified cases should both work ok (and they works ok here, 
and I doubt you actually tested them).  Though this one will cause 
troubles without SNI:

http {
    server {
       listen 443;
       ssl on;

   server {
       listen 443;
       ssl on;
       ssl_verify_client on;

Default server for port 443 is first one,, and 
all ssl connections will be established without certificate 
request (and with server certificate specified in this server - 
though this is probably obvious).  As soon as request to comes in - nginx will select second server, try 
to check client's certificate and return 400 as there is no client 

Obvious solutions are:

1. Use separate ip's for separate servers.

2. Keep ssl_verify_client at least "optional" in the default 
server for ip:port pair if you want client certificates to be 
available for servers on the ip:port pair in question.  Note that 
this may cause unnecessary "select certificate to submit" dialogs 
in browser.

3. Use SNI.  As long as you care about IE users under Windows XP - 
this probably isn't an option.

Maxim Dounin

More information about the nginx mailing list