On Fri, Jan 27, 2023 at 12:13 PM Cary Huang <cary.hu...@highgo.ca> wrote: > > (Eventually I'd like to teach the server not to ask for a client > > certificate if it's not going to use it.) > > If clientcert is not requested by the server, but yet the client still > sends the certificate, the server will still verify it. This is the case > in this discussion.
I think this is maybe conflating the application-level behavior with the protocol-level behavior. A client certificate is requested by the server if ssl_ca_file is set, whether clientcert is set in the HBA or not. It's this disconnect between the intuitive behavior and the actual behavior that I'd like to eventually improve. --Jacob
