Opennssl 1.0.2 certificate selection based on client settings

Dmitry Gorozhanin asked:

In one article I read that Openssl 1.0.2 allows you to select the certificate, depending on client configuration.
For example Windows XP early SP2 does not support ECC certificate. for this server will return one certificate and other certificate for modern OS.

I can`t find a description of the this technology. Does any web server support it?

My answer:


You’re referring to this bit in the linked article (here, translated to English):

OpenSSL version 1.0.2 allows you to select the server certificate based on the parameters of the client. Unfortunately Nginx out of the box does not allow the use of multiple certificates for a single server.

This appears to be referring to the following OpenSSL feature, added in 1.0.2:

*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear an existing
certificate and specify the whole chain.
[Steve Henson]

So far I can find no evidence that nginx supports this functionality, nor of any unofficial patches. Nor, from a quick look, did I find anything relevant for Apache or any other web server. I am sure it will be added eventually, but if you really need this soon, I would suggest asking on the nginx mailing list.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.