accept-client-certs stanza entry

accept-client-certs

Use the accept-client-certs stanza entry to control how WebSEAL handles client certificates from HTTPS clients.

accept-client-certs = {never|critical|required|optional|prompt_as_needed}

Description

How to handle certificates from HTTPS clients.
Options

never Never request a client certificate.
critical Always request a client certificate. If a valid certificate is not presented, the SSL handshake fails.
required Always request a client certificate. If a valid certificate is not presented, the SSL handshake succeeds but an error HTTP response is sent back to the client.
optional Always request a client certificate. If a valid certificate is presented, use ieclient certificate.
prompt_as_needed Only prompt for and process certificates when certificate authentication is necessary. An example of such situation is an ACL or POP check failure.

When this value is set, ensure the ssl-id-sessions stanza entry in the [session] stanza is set to no.
The Alternate Port Method is required when web reverse proxy is configured to accept HTTP/2 requests.
The Alternative Port Method is required for TLSv1.3 clients.

Usage: Required.
Default:
never
Example: accept-client-certs = never
Parent topic: [certificate] stanza

never	Never request a client certificate.
critical	Always request a client certificate. If a valid certificate is not presented, the SSL handshake fails.
required	Always request a client certificate. If a valid certificate is not presented, the SSL handshake succeeds but an error HTTP response is sent back to the client.
optional	Always request a client certificate. If a valid certificate is presented, use ieclient certificate.
prompt_as_needed	Only prompt for and process certificates when certificate authentication is necessary. An example of such situation is an ACL or POP check failure. When this value is set, ensure the ssl-id-sessions stanza entry in the [session] stanza is set to no. The Alternate Port Method is required when web reverse proxy is configured to accept HTTP/2 requests. The Alternative Port Method is required for TLSv1.3 clients.