Thank you Lukas. Here is the rebased patch. I also made one correction, I had added ssl_fc_unique_id as an ACL keyword, but that does not make sense. I removed that added line from my patch. Answering a question I received offline: base64 is the common way to encode this value. SCRAM (RFC 5802), EST (RFC 7030), and XMPP (RFC 3920) all consume this value in this format.
For a commit description: Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3. Thanks, --Dave On Tue, Apr 8, 2014 at 4:18 PM, Lukas Tribus <[email protected]> wrote: > Hi Dave, > > > > Hello > > The TLS unique id, or unique channel binding, is a byte string that can > be > > pulled from a TLS connection and it is unique to that connection. It is > > defined in RFC 5929 section 3. The value is used by various upper layer > > protocols as part of an extra layer of security. For example XMPP > > (RFC 6120) and EST (RFC 7030). > > > > I created this patch on top of dev22 to extract this value so it can be > > passed from the front end to the back end when TLS is terminated at the > > front end. > > Here is an example configuration using it: > > > > server backend 127.0.0.1:80 > > http-request set-header X-TLS-UNIQUE-ID %{+Q}[ssl_fc_unique_id] > > > > > > If you accept this patch, I'd also be happy to update configuration.txt. > > > > This is my first contribution, so please let me know the correct the > > procedure if I've missed something. > > I gave it a try and it works as expected. I don't have the knowledge to > actually review the code, but my impression of the patch is positive, I > like it. > > > Patch applies fine to dev22, but it doesn't apply to current git/master. > > My suggestion would be that you rebase this so that it applies cleanly > to the current tree (preferably with git, otherwise you can also just > get the latest snapshot [1]) and include the doc update in the patch > (small note in section 7.3.3 should be enough). > > Furthermore please include a short description of what the patch does > (2 - 3 sentences) for the commit message. > > > > Regards, > > Lukas > > > > [1] http://haproxy.1wt.eu/download/1.5/src/snapshot/ > >
tlsunique.patch
Description: Binary data
