Status of dual certificate support

ToSHiC toshic.toshic at
Sun Feb 21 19:07:41 UTC 2016


We are using patches from here:
in production since 20th of December 2015.

We've made 2 certificates: EC+SHA2 signature for new browsers and RSA+SHA1
signature for old ones. We assume that all browsers that supports EC certs
does support SHA2 certs signature. Monitoring of bad SSL connections from
nginx' error.log shows no additional errors so we think our assumption is
correct. Certificate election mechanism is based on cipher suites from
ClientHello and unfortunately there is no certificate signature type in
cypher suite string.

If you'll try to make the same configuration you need to force server
cipher suites over clients, and carefully place ECDSA before RSA. To check
if everything works fine use openssl s_client utility with -cipher options.
RSA should be enabled only if ECDSA is not present in client ciphers.

To monitor proper certificate usage in production we use ssl_cipher
variable. Additioanlly we've added variable with currently used server
certificate serial number, just to be sure. Our logs shows that in December
~20-25% of clients have used RSA certificate in our configuration.

Please feel free to contact me if you have any questions.

Anton Kortunov.

On Sun, Feb 21, 2016 at 1:58 PM, Jonathan Horn <jonathan at>

> Hi all,
> I wanted to know what the current status is to get dual certificate
> support into nginx.
> I saw that there have been some patches in March and April last year,
> but with no indication why the final version in April hasn't been merged.
> Is there any work currently done on bringing this into nginx? Or is some
> other feature development currently blocking this? Is there something
> else that I can help with to get that support into nginx?
> Jonathan Horn
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx-devel mailing list