accept-client-certs
Use the accept-client-certs stanza entry to control how WebSEAL handles client certificates from HTTPS clients.
Syntax
accept-client-certs = {never|critical|required|optional|prompt_as_needed}Description
Specifies how to handle certificates from HTTPS clients.
Options
- never
- Never request a client certificate.
- critical
- Always request a client certificate. If a valid certificate is not presented, the SSL handshake fails.
- required
- Always request a client certificate. If a valid certificate is not presented, the SSL handshake succeeds but an error HTTP response is sent back to the client.
- optional
- Always request a client certificate. If a valid certificate is presented, use it.
- prompt_as_needed
- Only prompt for and process certificates when certificate authentication is necessary. An
example of such situation is an ACL or POP check failure. Note:
- When this value is set, ensure that the ssl-id-sessions stanza entry in the [session] stanza is set to no.
- The Alternate Port Method is required when Web Reverse Proxy is configured to accept HTTP/2 requests.
- The Alternative Port Method is required for TLSv1.3 clients.
Usage
This stanza entry is required.
Default value
never
Example
accept-client-certs = never