#sknebelok ;) this seems to be a nginx feature request for what you want, there the suggested workaround is breaking TLS at cipher negotation stage, so they don't even get to the point where they talk about certs. also *ugly*. https://trac.nginx.org/nginx/ticket/195