On Sun, Jan 18, 2026 at 08:15:01PM +0000, Simon Ser wrote: > On Friday, January 16th, 2026 at 09:07, Willy Tarreau <[email protected]> wrote: > > > On Thu, Jan 15, 2026 at 12:25:12PM +0000, Simon Ser wrote: > > > > > Add the PP2_SUBTYPE_SSL_CERT code point reservation in the proxy > > > protocol specification. This is useful in cases where the backend > > > needs to perform mTLS authentication, but the rules for certificate > > > validation are backend-specific (e.g. database of allowed > > > certificate hashes). > > > > Thanks. I thought it was already being passed, but apparently not, > > it was only the info of whether or not it's valid. Given how ambiguous > > everything is in proxies and in SSL, may I suggest that you call it > > "PP2_SUBTYPE_SSL_CLIENT_CERT" (explicitly add the notion of client) ? > > Otherwise if later we have to do the same for the server, for whatever > > reason, it would become very confusing. > > Sure, sounds good!
OK. > > > @@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME > > > provides the US-ASCII string > > > name of the algorithm the frontend used to sign the ServerKeyExchange or > > > CertificateVerify message, for example "rsa_pss_rsae_sha256". > > > > > > +The optional second level TLV PP2_SUBTYPE_SSL_CERT provides the raw X.509 > > > +client certificate encoded in ASN.1 DER. The frontend may choose to omit > > > this > > > +TLV depending on configuration. > > > + > > > > Is this something we can already do using the manual TLV encoding in > > haproxy, or is this something you have added support for in another > > implementation ? I'm asking because as you see, I'm not super familiar > > with everything that can currently be done, and am making sure that users > > seeking exactly this and finding it in the doc will know how to exploit it. > > I've added support for this in another implementation [1] [2]. OK great! > haproxy > itself doesn't support it at this time. Is haproxy support required to > add PROXY protocol features? No, not at all. I suspect it can be done by manually setting the proper TLV fields anyway. Thanks, Willy
