Request mTLS is a mechanism for clients to hint to the server that they support mutual TLS using a lightweight TLS extension. It leverages the TLS Flags extension, currently being standardised by the IETF at draft-ietf-tls-tlsflags-15. This website validates the presence of the request mTLS flag as defined in draft-jhoyla-req-mtls-flag.
If you send the request mTLS flag the server will request a client certificate. The server will accept certificates that chain to the test public key defined in Section 2.1.6 of RFC 9500. You can find conveniently formatted PEM keys at thibmeu/rfc9500.
Current methods for identifying platforms such as user agent or IP address have proved unreliable over the years. It is fairly common for malicious actors to pretend to be some approved platform in an attempt to take advantage of the trust afforded to those platforms. Websites can use req mTLS to reliably identify platforms without any malicious actors being able to impersonate them. This benefits both platforms, who no longer have to worry about managing IP blocks and reverse DNS records, and websites who can afford trust to the platforms they want to support.
It's time for websites to know who's calling, and for platforms to prove it.
This website exposes an endpoint reporting incoming TLS Flags on /debug.
You can find partial implementations of TLS Flags in the Cloudflare Go fork, and in BoringSSL.
First off, this is fantastic news!
To contribute to this website, you can go to cloudflareresearch/req-mtls.
To contribute to the standards discussion, the current draft is hosted on jhoyla/draft-jhoyla-req-mtls-flag, and is being discussed on the tls IETF mailing list.