Hi, We noticed that `ssl_c_r_dn` (the Distinguished Name of the Root CA of the Client Certificate) returns empty/null for requests using a resumed SSL session, even when the initial handshake used a client certificate for mTLS authentication.
This behavior is somewhat understandable, as the client certificate chain is not presented again during SSL session resumption. The implementation in HAProxy source code acknowledges that the value can be null [1]. However, the documentation for `ssl_c_r_dn` [2] does not mention this limitation, unlike `ssl_fc_has_crt` where the exception for SSL resumption is clearly documented [3]. We would like to know whether it is feasible to cache `ssl_c_r_dn` from the initial handshake or implement another solution to correctly set this variable for resumed SSL sessions. We would really appreciate if you looked into this as some of our usage scenarios rely on the field being set. If it is not possible to change this behaviour, I propose to append the docs for `ssl_c_r_dn` e.g. with the following: "Note: the field is empty on SSL session resumption with Session ID or TLS ticket, even when a client certificate was provided in the initial handshake of the session". Many thanks in advance, please let me know if you need more information! Best regards Alexander Nicke [1] https://github.com/haproxy/haproxy/commit/df97f472fad4ec7c2621d2e13db837a591742d9e#diff-fb2da9c96a2aff60fcb6dc4e7c6424c0bf538aa159ec384d16cd0d4b4ed0f7e3R321-R325 (ssl_c_r_dn was originally requested in https://github.com/haproxy/haproxy/issues/1514) [2] https://docs.haproxy.org/2.8/configuration.html#ssl_c_r_dn [3] https://docs.haproxy.org/2.8/configuration.html#ssl_fc_has_crt Appendix: Some technical details. We're currently using HAProxy 2.8.16 and OpenSSL 3.0.2 but assume that the behaviour is mostly version-independent (we are aware of https://www.haproxy.com/blog/state-of-ssl-stacks). We could reproduce the behaviour with TLS1.2 (SSL session resumption via Session ID or Session Ticket) and TLS1.3 (via Pre-Shared Key). We used the following commands to trigger SSL resumption: echo "GET / HTTP/1.1\r\nHost: <host>\r\nConnection: close\r\n\r\n" | openssl s_client -connect <host>:443 -sess_out session -tls1_3 -cert <valid_client_cert> -key <valid_client_key> -quiet echo "GET / HTTP/1.1\r\nHost: <host>\r\nConnection: close\r\n\r\n" | openssl s_client -connect <host>:443 -sess_in session -tls1_3 -cert <valid_client_cert> -key <valid_client_key> -quiet
