Hi Michael,

On Sat, Jul 10, 2021 at 09:03:40AM +0200, Michael Stiller wrote:
> Hi List,
> 
> we have the following issue to solve:
> 
> A client puts some data value into a TLS Extension section (reserved or
> arbitrary id) in the ClientHello packet. I want to read this value and set a
> request header with that value which should be available to the backend which
> is designated to handle this request. Haproxy terminates / handles the SSL
> connection. 
> 
> My current idea is to somehow send that packet to a SPOE program, parse the
> ClientHello and send the value back to haproxy which sets the header. 
> 
> I am unsure if this is even remotely possible or which other options exist to 
> solve this.
> 
> I especially don't know how to detect and send the ClientHello to the SPOE.

There are some callbacks for some pieces of the client hello, but these
are mostly used to extract SNI or client certificates. I don't know if
there's anything standard to extract arbitrary TLS extensions.

> So some pointers or ideas are greatly appreciated.

Please could you have a look at ssl_sock.c:ssl_sock_switchctx_cbk() ?
There are some calls to certain SSL functions to retrieve some such info,
I don't know if they can be used for what you have in mind.

Willy

Reply via email to