Hello, On Thu, Jan 15, 2026 at 12:25:12PM +0000, Simon Ser wrote: > Add the PP2_SUBTYPE_SSL_CERT code point reservation in the proxy > protocol specification. This is useful in cases where the backend > needs to perform mTLS authentication, but the rules for certificate > validation are backend-specific (e.g. database of allowed > certificate hashes).
Thanks. I thought it was already being passed, but apparently not, it was only the info of whether or not it's valid. Given how ambiguous everything is in proxies and in SSL, may I suggest that you call it "PP2_SUBTYPE_SSL_CLIENT_CERT" (explicitly add the notion of client) ? Otherwise if later we have to do the same for the server, for whatever reason, it would become very confusing. > @@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides > the US-ASCII string > name of the algorithm the frontend used to sign the ServerKeyExchange or > CertificateVerify message, for example "rsa_pss_rsae_sha256". > > +The optional second level TLV PP2_SUBTYPE_SSL_CERT provides the raw X.509 > +client certificate encoded in ASN.1 DER. The frontend may choose to omit this > +TLV depending on configuration. > + Is this something we can already do using the manual TLV encoding in haproxy, or is this something you have added support for in another implementation ? I'm asking because as you see, I'm not super familiar with everything that can currently be done, and am making sure that users seeking exactly this and finding it in the doc will know how to exploit it. thanks! Willy
