The CCR (Client Certificate Requested) renegotiation list is a feature used to keep track of servers which request a client certificate via handshake renegotiation.
This is useful when the policy client.certificate.requested=yes ssl.forward_proxy(no) is deployed to automatically disable SSL interception for hosts which request a client certificate.
The use case is such that the server does not request a client certificate on the initial handshake but may request one later on during the TLS session. While the first connection will break as the proxy will likely not be configured to provide an acceptable client certificate, by keeping track of hosts which do this, we are able to disable SSL interception on subsequent connections so they will work.
This feature is no longer working as of SGOS 220.127.116.11
Defect ticket SG-24817 was raised with Engineering to track this issue and possibly provide a fix in a future version.
The workaround is to explicitly disable SSL interception for the affected sites.