Can Apigee configure a secure vhost to request but not require a client-side certificate?

With a network device like F5 BigIP, it is possible to configure an endpoint to request, require or ignore a client cert. In the require state, the F5 rejects the TLS handshake when the client does not present a cert (and may reject even if the client does present a cert, if the CA is wrong , or if the CN is not as required, if expired, etc). In the ignore state, any client cert is ignored by the F5 device.

In the “request” option, F5 asks for a cert, and the client may or may not present one. The F5 can be configured to allow or not allow, depending on the contents of the cert.

The question is, Can Apigee Edge be configured to request-but-not-require a client-side cert? I would like Apigee Edge to validate the cert against a specific CA, but not reject the connection if the cert is expired, if the cert has the "wrong" CN, or even if the cert is not present.

Is this possible?

I know that Apigee Edge uses nginx for the front-side router.

The nginx http ssl module has the ssl_verify_client parameter.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client

It supports : on | off | optional | optional_no_ca

Can the Apigee Edge public cloud be configured with any of these options?

Maybe @corinna fu has some information?