You can specialize the client certificate requirements using sni.yaml. So only request it for specific domain names. There is also an ip_allow action in sni.yaml (which I see is not documented) which would allow to control requiring client certificate based on the peer's IP.
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml I'll work on putting up a PR with some documentation on the ip_allow action. Susan On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar <[email protected]> wrote: > Hello, > > I understand that - > proxy.config.ssl.client.certification_level provides the option to > enable/disable client certificate verification across all connections. Is > it possible to skip client certificate verification based on source IP? > > > Thanks, > Supraja >
