enforcing mutual auth from the client
stephen.wall at redcom.com
Thu Sep 1 21:57:28 UTC 2022
> It is not clear what threat model warrants taking special action when the client
> certificate is not requested. It could equally be requested and then largely
A client in a highly secured network knows that every server it connects to will require a client certificate. If the request fails to arrive, it's either a misconfiguration or a compromised server. In either case, the client prefers to fail and make the user aware of a problem rather than risk compromising sensitive data with the user unaware that there was unexpected behavior.
More information about the openssl-users