On Friday, January 16th, 2026 at 09:07, Willy Tarreau <[email protected]> wrote:
> On Thu, Jan 15, 2026 at 12:25:12PM +0000, Simon Ser wrote: > > > Add the PP2_SUBTYPE_SSL_CERT code point reservation in the proxy > > protocol specification. This is useful in cases where the backend > > needs to perform mTLS authentication, but the rules for certificate > > validation are backend-specific (e.g. database of allowed > > certificate hashes). > > Thanks. I thought it was already being passed, but apparently not, > it was only the info of whether or not it's valid. Given how ambiguous > everything is in proxies and in SSL, may I suggest that you call it > "PP2_SUBTYPE_SSL_CLIENT_CERT" (explicitly add the notion of client) ? > Otherwise if later we have to do the same for the server, for whatever > reason, it would become very confusing. Sure, sounds good! > > @@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME > > provides the US-ASCII string > > name of the algorithm the frontend used to sign the ServerKeyExchange or > > CertificateVerify message, for example "rsa_pss_rsae_sha256". > > > > +The optional second level TLV PP2_SUBTYPE_SSL_CERT provides the raw X.509 > > +client certificate encoded in ASN.1 DER. The frontend may choose to omit > > this > > +TLV depending on configuration. > > + > > Is this something we can already do using the manual TLV encoding in > haproxy, or is this something you have added support for in another > implementation ? I'm asking because as you see, I'm not super familiar > with everything that can currently be done, and am making sure that users > seeking exactly this and finding it in the doc will know how to exploit it. I've added support for this in another implementation [1] [2]. haproxy itself doesn't support it at this time. Is haproxy support required to add PROXY protocol features? Thanks, Simon [1]: https://codeberg.org/emersion/tlstunnel/pulls/33 [2]: https://codeberg.org/emersion/soju/pulls/356
