Verify client certificate per location

fgbreel · December 15, 2015, 2:22pm

Hi, I’m using HAProxy with client certificate checking with verify optional and checking for ssl_c_used and/or ssl_c_verify combined with http-request deny for just one location.

http-request deny if { path /mysecurepath } !{ ssl_c_verify ne 0 }

My problem is the client certificate is requested to the client when using an Android browser for example.

It is possible to use verify none to not ask for the client certificate but be able to use ssl_c_used and ssl_c_verify?

fgbreel · December 18, 2015, 9:09pm

I think I’m doing something wrong here, because the client names need to be sent, and then, the request is made, so the server need to send the CA before the GET|HEAD be accepted. Doh!

Topic		Replies	Views
Opportunistic client certificate validation Help!	2	1338	August 17, 2017
Check Certificate in Backend possible Help!	4	1178	June 22, 2017
mTLS by path - requiring client verification for some paths Help!	7	2544	February 13, 2021
How to set ssl verify client for specific domain name Help!	13	23477	June 25, 2023
HAProxy TLS interception Help!	8	1729	March 22, 2021

Verify client certificate per location

Related topics