If I am using a Apache to verify the client certificate and the client certificate is invalid (e.g. revoked) than I can get the appropriate SSL/TLS alert which can be evaluated by the client: curl -v --insecure --cert cert.pem --key key.pem --cacert ca.pem https://127.0.0.1:443/1/config * Expire in 0 ms for 6 (transfer 0x5611097bcfb0) * Trying 127.0.0.1... * TCP_NODELAY sby charlemagnelasse - Nginx Mailing List - English