This is documented as "Only request a client certificate on the initial TLS/SSL handshake. Do not ask for a client certificate again in case of a renegotiation." Server-side renegotiation is gone. I'm not sure this flag has ever worked anyway, dating all the way back to SSLeay 0.8.1b. ssl_get_new_session overwrites s->session, so the old session->peer is lost. Change-Id: Ie173243e189c63272c368a55167b8596494fd59c Reviewed-on: https://boringssl-review.googlesource.com/4883 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15