As I've confirmed in this SO security answer I know we can have a self signed client certificate.
I tried adding the client cert into ca.pem as in
bind 0.0.0.0:443 ssl crt /etc/ssl/private/asdf.hdavid.io.pem verify optional ca-file /etc/ssl/certs/ca.pem
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
And then calling with curl -v --key key.pem --cert cert.pem https://asdf.hdavid.io
But I get X-SSL-Client-Verify as zero in the backend in both cases, when the client presents a valid certificate and when it presents a certificate not in haproxy trust
Actually it seems to work, with verify require haproxy properly blocks requests not coming from the certificate I trusted inside haproxy. But when I have verify optional. I always get ssl_c_verify as zero, why is that?
