Nginx is a webserver. It’s tiny, it’s free (and open source, though like I care what license it’s under) and it’s screamingly fast. I do prefer it to Apache, even though there are a few bits it lacks.

One thing I found recently was testing client-authentication with the iPhone. See, although nginx supports it, there’s only 2 options: on or off¹

Apache has more options - including ‘require’. It seems that the latest stable version of nginx doesn’t require the client to present a certificate - thus the iPhone at least doesn’t bother. So, I dug into the source and knowing some OpenSSL information too, changed:

SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback);

to

SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ngx_http_ssl_verify_callback);

In the ‘ngx_event_openssl.c’ file around line 243 - OR’ing in the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, which basically makes the server require the client certificate. Recompile, restart - presto! Nginx makes the iPhone ask for the certificate!

^{1 The new 0.7 branch has an ‘ask’ option, but I haven’t tried that yet and it probably works as above.}

*Note: This was written years ago. I haven’t checked in newer versions.