| 1 | ### No certificate, certificate required |
| 2 | ### No certificate, certificate optional at TLS time, required by ACL |
| 3 | ### Good certificate, certificate required |
| 4 | ### Good certificate, certificate optional at TLS time, checked by ACL |
| 5 | ### Bad certificate, certificate required |
| 6 | ### Bad certificate, certificate optional at TLS time, reject at ACL time |
| 7 | ### Otherwise good but revoked certificate, certificate required |
| 8 | ### Revoked certificate, certificate optional at TLS time, reject at ACL time |
| 9 | ### Good certificate, certificate required - but nonmatching CRL also present |
| 10 | |
| 11 | ******** SERVER ******** |
| 12 | ### No certificate, certificate required |
| 13 | ### No certificate, certificate optional at TLS time, required by ACL |
| 14 | ### Good certificate, certificate required |
| 15 | ### Good certificate, certificate optional at TLS time, checked by ACL |
| 16 | ### Bad certificate, certificate required |
| 17 | ### Bad certificate, certificate optional at TLS time, reject at ACL time |
| 18 | ### Otherwise good but revoked certificate, certificate required |
| 19 | ### Revoked certificate, certificate optional at TLS time, reject at ACL time |
| 20 | ### Good certificate, certificate required - but nonmatching CRL also present |