ASGI Documentation, Release 3.0
• client_cert_chain (Iterable[Unicode string]) – An iterable of Unicode strings, where each string is a PEM-
encoded x509 certificate. The first certificate is the client certificate. Any subsequent certificates are part of the
certificate chain sent by the client, with each certificate signing the preceding one. If the client did not provide a
client certificate then it will be an empty iterable. Some web server implementations may be unable to provide
this (e.g. if TLS is terminated by a separate proxy or load balancer); in that case this shall be an empty iterable.
Optional; if missing defaults to empty iterable.
• client_cert_name (Unicode string or None) – The x509 Distinguished Name of the Subject of the client cer-
tificate, as a single string encoded as defined in RFC4514. If the client did not provide a client certificate then it
will be None. Some web server implementations may be unable to provide this (e.g. if TLS is terminated by a sep-
arate proxy or load balancer); in that case this shall be None. If client_cert_chain is provided and non-empty
then this field must be provided and must contain information that is consistent with client_cert_chain[0].
Note that under some setups, (e.g. where TLS is terminated by a separate proxy or load balancer and that device
forwards the client certificate name to the web server), this field may be set even where client_cert_chain is
not set. Optional; if missing defaults to None.
• client_cert_error (Unicode string or None) – None if a client certificate was provided and successfully
verified, or was not provided. If a client certificate was provided but verification failed, this is a non-empty string
containing an error message or error code indicating why validation failed; the details are web server specific.
Most web server implementations will reject the connection if the client certificate verification failed, instead of
setting this value. However, some may be configured to allow the connection anyway. This is especially useful
when testing that client certificates are supported properly by the client - it allows a response containing an error
message that can be presented to a human, instead of just refusing the connection. Optional; if missing defaults
to None.
• tls_version (integer or None) – The TLS version in use. This is one of the version numbers as defined in the
TLS specifications, which is an unsigned integer. Common values include 0x0303 for TLS 1.2 or 0x0304 for
TLS 1.3. If TLS is not in use, set to None. Some web server implementations may be unable to provide this (e.g.
if TLS is terminated by a separate proxy or load balancer); in that case set to None. Mandatory.
• cipher_suite (integer or None) – The TLS cipher suite that is being used. This is a 16-bit unsigned integer that
encodes the pair of 8-bit integers specified in the relevant RFC, in network byte order. For example RFC8446
section B.4 defines that the cipher suite TLS_AES_128_GCM_SHA256 is {0x13, 0x01}; that is encoded as a
cipher_suite value of 0x1301 (equal to 4865 decimal). Some web server implementations may be unable to
provide this (e.g. if TLS is terminated by a separate proxy or load balancer); in that case set to None. Mandatory.
2.4.4 Events
All events are as defined in the base protocol specification.
2.4.5 Rationale (Informative)
This section explains the choices that led to this specification.
Providing the entire TLS certificates in client_cert_chain, rather than a parsed subset:
• Makes it easier for web servers to implement, as they do not have to include a parser for the entirety of the x509
certificate specifications (which are huge and complicated). They just have to convert the binary DER format
certificate from the wire, to the text PEM format. That is supported by many off-the-shelf libraries.
• Makes it easier for web servers to maintain, as they do not have to update their parser when new certificate fields
are defined.
• Makes it easier for clients as there are plenty of existing x509 libraries available that they can use to parse the
certificate; they don’t need to do some special ASGI-specific thing.
22 Chapter 2. Specifications