kong.client.tls

A set of functions for interacting with TLS connections from the client.

Requests the client to present its client-side certificate to initiate mutual TLS authentication between server and client.

This function requests, but does not require the client to start the mTLS process. The TLS handshake can still complete even if the client doesn’t present a client certificate. However, in that case, it becomes a TLS connection instead of an mTLS connection, as there is no mutual authentication.

To find out whether the client honored the request, use in later phases.

Phases

Returns

true|nil: Returns true if request is received, or nil if request fails.
nil|err: Returns nil if the handshake is successful, or an error message if it fails.

Prevents the TLS session for the current connection from being reused by disabling the session ticket and session ID for the current TLS connection.

Phases

certificate

Returns

: Returns true if successful, nil if it fails.

Usage

Returns the PEM encoded downstream client certificate chain with the client certificate at the top and intermediate certificates (if any) at the bottom.

Phases

rewrite, access, balancer, header_filter, body_filter, log

string|nil: Returns a PEM-encoded client certificate if the mTLS handshake was completed, or if an error occurred or the client did not present its certificate.
nil|err: Returns nil if successful, or an error message if it fails.

Usage

Overrides the client’s verification result generated by the log serializer.

By default, the request.tls.client_verify field inside the log generated by Kong’s log serializer is the same as the $ssl_client_verify Nginx variable.

Only "SUCCESS", "NONE", or are accepted values.

This function does not return anything on success, and throws a Lua error in case of a failure.

Phases

rewrite, access, balancer