Thanks for getting back to me so quickly! Maxim Dounin Wrote: ------------------------------------------------------- > What nginx doesn't support (or, rather, explicitly forbids) is > renegotiation. On the other hand, renegotiation is required if > one needs to ask for a client certificate only for some URIs, so > it's likely used in your case. You should see something like "SSL > renegotiation disabled" in logs at notice level.
Yes, this is exactly the problem. With your hint, I commented out the relevant code in ngx_ssl_handshake and ngx_ssl_handle_recv -- and proxying worked flawlessly. (Interestingly, I never saw the log you identified because of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS having been set on the openssl connection object.) I think I understand the gist of why nginx forbids client-initiated renegotiation (denial of service concerns? security concerns?), but I'm not well-versed in openssl enough to know if the same concerns apply to server-initiated renegotiation with nginx as the client, especially when it applies to cipher renegotiation as noted above. Would nginx be open to a patch that would make this use case feasible? Perhaps as a modification to only disable these renegotiations when nginx is the server in the SSL equation? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,258464,258520#msg-258520 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
