(mTLS) Can Traefik return a 401 response when client certificate is bad/not provided?

brodiem0 · September 20, 2022, 5:54am

Hi there,

We are using a Docker container instance of Traefik for Mutual TLS Auth.

At present, when a bad certificate is provided, or none is provided at all, we receive a TLS handshake error log in the container, and an ERR_BAD_SSL_CLIENT_AUTH_CERT 200 response.

Does Traefik support the ability to return a 401 response if the certificate provided fails to authenticate?

Thanks,
Brodie

kevinpollet · September 21, 2022, 1:35pm

Hello @brodiem0 and thanks for your interest in Traefik,

Unfortunately, this is not possible because the validation of the client certificate is done during the TLS handshake which happens before forwarding the request to the HTTP stack. So, this is why it is not possible to return a 401 in that case.

brodiem0 · October 12, 2022, 3:59am

Okay understood, thanks Kevin.

Topic		Replies	Views
Traefik to Traefik mTLS authentication Traefik v1 file	13	3974	December 9, 2020
Traefik configuration to allow access to a webapp based on a client certificate attribute or attributes Traefik v2 docker	9	1780	January 18, 2021
How to inform the backend HTTP server of a client certificate Traefik v2 tcp	1	781	April 19, 2023
ClientAuth RequireAndVerifyClientCert not requesting client certificate Traefik v2 kubernetes-crd	3	1054	May 7, 2024
Pre-defined client certificate to backend request Traefik v2 rest-api , middleware , cli	13	974	January 2, 2024

(mTLS) Can Traefik return a 401 response when client certificate is bad/not provided?

Related topics