Add the PP2_SUBTYPE_SSL_CLIENT_CERT code point reservation in the proxy protocol specification. This is useful in cases where the backend needs to perform mTLS authentication, but the rules for certificate validation are backend-specific (e.g. database of allowed certificate hashes).
This is left optional to leave it up to the frontend configuration to dictate whether to forward raw certificate data. Support for this new TLV has been added in tlstunnel: https://codeberg.org/emersion/tlstunnel/pulls/33 --- Changes in v2: rename to PP2_SUBTYPE_SSL_CLIENT_CERT, add reference to implementation in commit message. doc/proxy-protocol.txt | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt index fe96d3b13b01..2c5cfae9633e 100644 --- a/doc/proxy-protocol.txt +++ b/doc/proxy-protocol.txt @@ -30,6 +30,7 @@ Revision history 2020/03/05 - added the unique ID TLV type (Tim Düsterhus) 2025/09/09 - added SSL-related TLVs for key exchange group and signature scheme (Steven Collison) + 2026/01/15 - added SSL client certificate TLV (Simon Ser) 1. Background @@ -536,20 +537,21 @@ the information they choose to publish. The following types have already been registered for the <type> field : - #define PP2_TYPE_ALPN 0x01 - #define PP2_TYPE_AUTHORITY 0x02 - #define PP2_TYPE_CRC32C 0x03 - #define PP2_TYPE_NOOP 0x04 - #define PP2_TYPE_UNIQUE_ID 0x05 - #define PP2_TYPE_SSL 0x20 - #define PP2_SUBTYPE_SSL_VERSION 0x21 - #define PP2_SUBTYPE_SSL_CN 0x22 - #define PP2_SUBTYPE_SSL_CIPHER 0x23 - #define PP2_SUBTYPE_SSL_SIG_ALG 0x24 - #define PP2_SUBTYPE_SSL_KEY_ALG 0x25 - #define PP2_SUBTYPE_SSL_GROUP 0x26 - #define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27 - #define PP2_TYPE_NETNS 0x30 + #define PP2_TYPE_ALPN 0x01 + #define PP2_TYPE_AUTHORITY 0x02 + #define PP2_TYPE_CRC32C 0x03 + #define PP2_TYPE_NOOP 0x04 + #define PP2_TYPE_UNIQUE_ID 0x05 + #define PP2_TYPE_SSL 0x20 + #define PP2_SUBTYPE_SSL_VERSION 0x21 + #define PP2_SUBTYPE_SSL_CN 0x22 + #define PP2_SUBTYPE_SSL_CIPHER 0x23 + #define PP2_SUBTYPE_SSL_SIG_ALG 0x24 + #define PP2_SUBTYPE_SSL_KEY_ALG 0x25 + #define PP2_SUBTYPE_SSL_GROUP 0x26 + #define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27 + #define PP2_SUBTYPE_SSL_CLIENT_CERT 0x28 + #define PP2_TYPE_NETNS 0x30 2.2.1 PP2_TYPE_ALPN @@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides the US-ASCII string name of the algorithm the frontend used to sign the ServerKeyExchange or CertificateVerify message, for example "rsa_pss_rsae_sha256". +The optional second level TLV PP2_SUBTYPE_SSL_CLIENT_CERT provides the raw +X.509 client certificate encoded in ASN.1 DER. The frontend may choose to omit +this TLV depending on configuration. + In all cases, the string representation (in UTF8) of the Common Name field (OID: 2.5.4.3) of the client certificate's Distinguished Name, is appended using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com". -- 2.52.0
