Client certificates require nginx restart

Hi,
I have setup nginx as a ssl reverse proxy for tomcat. I am doing
matching based on client DN like that:

  ssl on;
  ssl_certificate /etc/ssl/server.crt;
  ssl_certificate_key /etc/ssl/server.key;
  ssl_client_certificate /etc/ssl/certs/ca.crt;
  ssl_verify_client on;

location  /client2 {
    if ($ssl_client_s_dn = "/C=US/ST=OH/O=TEST.US/OU=ADM/CN=client2") {
      proxy_pass http://127.0.0.1:8180;
      break;
    }
  }

Everything works fine except that I have to restart nginx every time new
certificate is imported into a client browser. I would like to make them
work without restarting nginx. Is it possible or am I doing something
wrong ? Thanks in advance for any help

Posted at Nginx Forum:

Hello!

On Mon, Dec 06, 2010 at 05:42:01AM -0500, kefear wrote:

work without restarting nginx. Is it possible or am I doing something
wrong ? Thanks in advance for any help

It’s likely to be caused by browser using previously established
ssl session (with old client cert used in it). Restarting
browser should help as well.

Maxim D.