Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Client TLS Certificate not Requested on Subsequent visits when using verify_if_given #7443

New issue
New issue
Open
Open
Client TLS Certificate not Requested on Subsequent visits when using verify_if_given#7443
@gamefb

Description

@gamefb
gamefb
opened on Jan 17, 2026

Issue Details

Using the official Docker image with caddy v2.10.2

I have a site that has a lot of url bouncing due to SSO redirects, it wasn't working and I sought to find out why. I set up a very basic system, if you visit the url it redirects you to youtube if you have a cert, if you don't, it gives you a 403.

On the very first visit, you go to youtube as you should. However, on subsequent visits, the cert is not being requested and you get a 403. This only applies to verify_if_given; the require_and_verify directive does not exhibit this problem.

The major caveat to testing this is that if start off connecting to the site with require_and_verify in a session, then switch to verify_if_given, then in the same browser session attempt to reconnect to the site, it will appear to work as normal. Close your browser and try again, it won't work multiple times anymore.

Here is the test:

(tls_client) {
	#mTLS verify client
	tls {
		client_auth {
			mode verify_if_given
			trust_pool file {
				pem_file /etc/caddy/root.pem
			}
		}
	}
}

tlscheck.example.com {
	import tls_client
	@has_cert expression {tls_client_subject} != null
	@no_cert expression {tls_client_subject} == null

	redir @has_cert https://www.youtube.com/
	respond @no_cert 403
}

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response

Here is the debug output, I managed to get Firefox to work consistently, which is cool, but not Chrome or Edge.

{"level":"debug","ts":1768695517.0676358,"logger":"events","msg":"event","name":"tls_get_certificate","id":"21a8c0c8-54be-4a21-83bb-68b8ae09cc16","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"tlscheck.EXAMPLE.COM","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"PUBLIC_IP","Port":55967,"Zone":""},"LocalAddr":{"IP":"172.18.0.6","Port":443,"Zone":""}}}}
{"level":"debug","ts":1768695517.0680878,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"PUBLIC_IP","remote_port":"55967","subjects":["tlscheck.EXAMPLE.COM"],"managed":true,"expiration":1776435082,"hash":"49cc269d6e0460fe89dbc642333d9c57b00464d54df3255c17c81a45a06088cb"}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions