mTLS mode
otoroshictl toolbox mtls lets you read or change the client authentication mode on the TLS termination of your Otoroshi cluster.
Otoroshi supports three modes for mutual TLS (mTLS) at the TLS layer:
| Mode | Behaviour |
|---|---|
None | Client certificates are not requested |
Want | Client certificate is requested but not mandatory |
Need | Client certificate is required — connections without one are rejected |
Display the current mode
Running the command without --mode prints the current client authentication mode of the cluster.
$ otoroshictl toolbox mtlsmTLS mode: None
The output format follows the global --output flag:
$ otoroshictl toolbox mtls -o json_pretty{ "mode": "None" }
Change the mode
Pass --mode with one of None, Want, or Need to update the cluster configuration.
Disable client certificate checking:
$ otoroshictl toolbox mtls --mode NoneRequest a client certificate (optional):
$ otoroshictl toolbox mtls --mode WantRequire a client certificate (mandatory):
$ otoroshictl toolbox mtls --mode Needtip
Changes take effect immediately on the running cluster — no restart required.
Command usage
$ otoroshictl toolbox mtls -hmanage client authentication on the TLS termination Usage: otoroshictl toolbox mtls [OPTIONS] Options: -m, --mode <MODE> the mode to use: None, Want, Need -v, --verbose Turn debugging information on -o, --ouput <FORMAT> Change the rendering format (can be one of: json, yaml, json_pretty) -c, --config-file <FILE or URL> Sets a custom config file -h, --help Print help