Lighttpd

Is this behaviour of "the Server requesting the Certificate from the Client even when the Client opts for Basic Authentication" expected ?

You are confusing separate concepts.

TLSv1.2 and TLSv1.3 are different and TLSv1.3 may handle client certificate request differently.

TLS negotiation occurs before the encrypted HTTP request. If the TLS negotiation did not occur beforehand, then the HTTP request would not be encrypted. If lighttpd is configured to request client certificate auth, then lighttpd does so during TLS negotiations, and this happens before the HTTP request and therefore before it is known whether or not the client sent an HTTP request containing Basic Auth Authorization request header.

or is there any configurable option to disable the Server from requesting the CLient Certificate ?

ssl.verifyclient.activate

However, as noted above, the HTTP request is not known before TLS negotiation, so ssl.verifyclient.activate must be configured before TLS negotiation, and is therefore effective only in lighttpd.conf global config scope and $SERVER["socket"] config scope.

Aside: lighttpd 1.4.45 (released Jan 2017) is outdated. Your systems are running ancient software, and are likely also running ancient openssl libraries which may have known bugs or vulnerabilities. You should strongly consider updating your systems. The current lighttpd release is lighttpd 1.4.67 (released Sep 2022), and lighttpd 1.4.68 is scheduled to be released in Jan 2023. Your systems are at least 22 (!!!) lighttpd releases out-of-date!!!

@gstrauss Thanks for the quick reply.

TLSv1.2 and TLSv1.3 are different and TLSv1.3 may handle client certificate request differently.

We would like to know in terms of handling client certificate request, how different is TLSv1.3 from TLSv1.2.

We would like to know in terms of handling client certificate request, how different is TLSv1.3 from TLSv1.2.

Cool. Sounds like you have some research to do. A search engine is a good place to start.