On 17/06/16 23:19, Matt Park wrote: [...]
> I've put about 20 hours into this and I'm pretty familiar with HAProxy, PKI > and mutual auth in general. The only difference is that I need a v3 > attribute off a smart card vs a soft cert. [...] Hi Mark, I don't think it is doable right now, either. There appears to be an entire API in openssl to deal with v3 attributes and it does not seem to be used in HAProxy: https://github.com/openssl/openssl/blob/c8f717fe87632b3a29ad5d82718df28209ba72dd/include/openssl/x509v3.h The whole of the certificate is under ssl_c_der (I'm sure you are aware of it) so without implementing the feature you need in HAProxy and short of figuring out how to pass that DER data to Lua for inspection and extraction of the attributes you need, the only other idea seems to be a thin tool in between HAProxy and backends that would receive the certificate on input from HAProxy, set REMOTE_USER and hand it over to a backend. Not exactly ideal but I just don't see any other way as of today. regards, -- Dariusz Suchojad https://zato.io ESB, SOA, REST, APIs and Cloud Integrations in Python
