But when I have verify optional. I always get ssl_c_verify as zero, why is that?
Because this means successful validation. From the documentation of haproxy:
ssl_c_verify : integer
Returns the verify result error ID when the
incoming connection was made over an SSL/TLS transport layer,
otherwise zero if no error is encountered. Please refer to your SSL
library's documentation for an exhaustive list of error codes.
This zero is basically X509_V_OK as documented in openssl verify.
But I get X-SSL-Client-Verify as zero in the backend in both cases, when the client presents a valid certificate and when it presents a certificate not in haproxy trust
I cannot reproduce this. When the client presents a certificate which is not trusted the connection will fail since the verification fails:
$ curl ... -cert wrong.pem ...
...
* OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
But when no certificate is presented the connection will succeed, since the client certificate is considered optional.
But it looks like you want the connection to actually succeed with the wrong certificate, but to forward the error upstream. And you also want to forward the information if a client certificate was used in the first place. In this case you might use something like this:
bind 0.0.0.0:443 ssl ... verify optional crt-ignore-err all ...
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-Used %[ssl_c_used]
The X-SSL-Client-Used header will then be 1 if a client certificate was given. The X-SSL-Client-Verify will be 0 if no error happened during certificate validation, which includes the case that no certificate was given. Otherwise it will return the verification error.
