I noticed that "RequireAndVerifyClientCert" has no effect on "clientAuthType:" if the secret in "secretNames:" is missing. This means that if the secret is missing or misconfigured, the endpoint is no longer protected and accessible to the whole world. I consider this fallback behavior to be highly …

RequireAndVerifyClientCert has no efact when secret is missing

nicomengin December 9, 2022, 10:55am 4

Quick update on this topic.

We've released Traefik v2.9.6 which embeds a fix to your issue.
Note that we've qualified it as a CVE.

You can find more information by reading this post.

Topic		Replies	Views
Client with no certs still has access to Traefik in RequireAndVerifyClientCert Traefik v2 docker , file	4	509	January 11, 2024
ClientAuth RequireAndVerifyClientCert not requesting client certificate Traefik v2 kubernetes-crd	3	862	May 7, 2024
Optional client certificates in Kubernetes not working Traefik v1 kubernetes-ingress	4	2401	July 11, 2019
Client Authentication(mTLS) with enforcement is not working Traefik v2 kubernetes-ingress , letsencrypt-acme	4	975	December 3, 2020
RequireAnyClientCert with consul catalogue Traefik v2 consul-catalog	1	512	April 26, 2020