Hello,
The attached patch adds acl support for the TLS ALPN extension (RFC7301)
extension via "req.ssl_alpn", in a similar vein to "req.ssl_sni".
It is useful for pass-thru of TLS connections in scenarios like ACME's
tls-alpn-01.
Thank you
Alex
>From 8008e5e8f23747741ed005f56c247bcd366cfda9 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <[email protected]>
Date: Fri, 13 Oct 2017 12:15:28 +0200
Subject: [PATCH 1/3] MINOR: update proxy-protocol-v2 #define
Report #define from doc/proxy-protocol.txt.
---
include/types/connection.h | 15 +++++++++++----
src/connection.c | 4 ++--
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/include/types/connection.h b/include/types/connection.h
index 1c923c578..eee75ec42 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -373,10 +373,17 @@ struct proxy_hdr_v2 {
} addr;
};
-#define PP2_TYPE_SSL 0x20
-#define PP2_TYPE_SSL_VERSION 0x21
-#define PP2_TYPE_SSL_CN 0x22
-#define PP2_TYPE_NETNS 0x30
+#define PP2_TYPE_ALPN 0x01
+#define PP2_TYPE_AUTHORITY 0x02
+#define PP2_TYPE_CRC32C 0x03
+#define PP2_TYPE_NOOP 0x04
+#define PP2_TYPE_SSL 0x20
+#define PP2_SUBTYPE_SSL_VERSION 0x21
+#define PP2_SUBTYPE_SSL_CN 0x22
+#define PP2_SUBTYPE_SSL_CIPHER 0x23
+#define PP2_SUBTYPE_SSL_SIG_ALG 0x24
+#define PP2_SUBTYPE_SSL_KEY_ALG 0x25
+#define PP2_TYPE_NETNS 0x30
#define TLV_HEADER_SIZE 3
struct tlv {
diff --git a/src/connection.c b/src/connection.c
index 48f0ec331..a29bc2c32 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1037,7 +1037,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv->client |= PP2_CLIENT_SSL;
value = ssl_sock_get_version(remote);
if (value) {
- ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
+ ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_SUBTYPE_SSL_VERSION, strlen(value), value);
}
if (ssl_sock_get_cert_used_sess(remote)) {
tlv->client |= PP2_CLIENT_CERT_SESS;
@@ -1048,7 +1048,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
cn_trash = get_trash_chunk();
if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
- ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
+ ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CN, cn_trash->len, cn_trash->str);
}
}
}
--
2.11.0
