Verify client certificate per location


#1

Hi, I’m using HAProxy with client certificate checking with verify optional and checking for ssl_c_used and/or ssl_c_verify combined with http-request deny for just one location.

http-request deny if { path /mysecurepath } !{ ssl_c_verify ne 0 }

My problem is the client certificate is requested to the client when using an Android browser for example.

It is possible to use verify none to not ask for the client certificate but be able to use ssl_c_used and ssl_c_verify?


#2

I think I’m doing something wrong here, because the client names need to be sent, and then, the request is made, so the server need to send the CA before the GET|HEAD be accepted. Doh!