proxy_ssl_certificate not exchanging client certificates

lieut_data nginx-forum at
Wed Apr 29 21:09:26 UTC 2015

Thanks for getting back to me so quickly!

Maxim Dounin Wrote:
> What nginx doesn't support (or, rather, explicitly forbids) is 
> renegotiation.  On the other hand, renegotiation is required if 
> one needs to ask for a client certificate only for some URIs, so 
> it's likely used in your case.  You should see something like "SSL 
> renegotiation disabled" in logs at notice level.

Yes, this is exactly the problem. With your hint, I commented out the
relevant code in ngx_ssl_handshake and ngx_ssl_handle_recv -- and proxying
worked flawlessly. (Interestingly, I never saw the log you identified
because of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS having been set on the openssl
connection object.)

I think I understand the gist of why nginx forbids client-initiated
renegotiation (denial of service concerns? security concerns?), but I'm not
well-versed in openssl enough to know if the same concerns apply to
server-initiated renegotiation with nginx as the client, especially when it
applies to cipher renegotiation as noted above.

Would nginx be open to a patch that would make this use case feasible?
Perhaps as a modification to only disable these renegotiations when nginx is
the server in the SSL equation?

Posted at Nginx Forum:,258464,258520#msg-258520

More information about the nginx mailing list