Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / a598b500b474280ae3bc86a0a10c871f1ca72d96^! / . / doc / configuration.txt
commita598b500b474280ae3bc86a0a10c871f1ca72d96[log] [tgz]
authorWilliam Dauchy <w.dauchy@criteo.com>Thu Aug 06 18:11:38 2020 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Fri Aug 07 15:38:40 2020 +0200
tree12c1417006a549677ae9e07eaa7be83a43f72244
parent98c35045aa5b0975b74a7eeaffc8b113fc7a0b42 [diff] [blame]
MINOR: ssl: add ssl_{c,s}_chain_der fetch methods

Following work from Arjen and Mathilde, it adds ssl_{c,s}_chain_der
methods; it returns DER encoded certs from SSL_get_peer_cert_chain

Also update existing vtc tests to add random intermediate certificates

When getting the result through this header:
  http-response add-header x-ssl-chain-der %[ssl_c_chain_der,hex]
One can parse it with any lib accepting ASN.1 DER data, such as in go:
  bin, err := encoding/hex.DecodeString(cert)
  certs_parsed, err := x509.ParseCertificates(bin)

Cc: Arjen Nienhuis <arjen@zorgdoc.nl>
Signed-off-by: Mathilde Gilles <m.gilles@criteo.com>
Signed-off-by: William Dauchy <w.dauchy@criteo.com>

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9afb566..98ec939 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -17062,6 +17062,13 @@
   incoming connection was made over an SSL/TLS transport layer. When used for
   an ACL, the value(s) to match against can be passed in hexadecimal form.
 
+ssl_c_der_chain : binary
+  Returns the DER formatted chain certificate presented by the client when the
+  incoming connection was made over an SSL/TLS transport layer. When used for
+  an ACL, the value(s) to match against can be passed in hexadecimal form. One
+  can parse the result with any lib accepting ASN.1 DER data. It currentlly
+  does not support resumed sessions.
+
 ssl_c_err : integer
   When the incoming connection was made over an SSL/TLS transport layer,
   returns the ID of the first error detected during verification at depth 0, or
@@ -17426,6 +17433,13 @@
   outgoing connection was made over an SSL/TLS transport layer. When used for
   an ACL, the value(s) to match against can be passed in hexadecimal form.
 
+ssl_s_chain_der : binary
+  Returns the DER formatted chain certificate presented by the server when the
+  outgoing connection was made over an SSL/TLS transport layer. When used for
+  an ACL, the value(s) to match against can be passed in hexadecimal form. One
+  can parse the result with any lib accepting ASN.1 DER data. It currentlly
+  does not support resumed sessions.
+
 ssl_s_key_alg : string
   Returns the name of the algorithm used to generate the key of the certificate
   presented by the server when the outgoing connection was made over an