DOC: proxy-protocol: Add SSL client certificate TLV

Add the PP2_SUBTYPE_SSL_CLIENT_CERT code point reservation in the proxy protocol specification. This is useful in cases where the backend needs to perform mTLS authentication, but the rules for certificate validation are backend-specific (e.g. database of allowed certificate hashes). This is left optional to leave it up to the frontend configuration to dictate whether to forward raw certificate data. Support for this new TLV has been added in tlstunnel: https://codeberg.org/emersion/tlstunnel/pulls/33
2026-02-03 20:39:41 -05:00 · 2026-01-19 23:38:11 +00:00 · 2026-01-19 23:38:11 +00:00 · 6f5def3cbd
commit 6f5def3cbd
parent 9156d5f775
1 changed files with 20 additions and 14 deletions
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@ -30,6 +30,7 @@ Revision history
   2020/03/05 - added the unique ID TLV type (Tim Düsterhus)
   2025/09/09 - added SSL-related TLVs for key exchange group and signature
                scheme (Steven Collison)
+   2026/01/15 - added SSL client certificate TLV (Simon Ser)

 1. Background

@ -536,20 +537,21 @@ the information they choose to publish.

 The following types have already been registered for the <type> field :

-        #define PP2_TYPE_ALPN              0x01
-        #define PP2_TYPE_AUTHORITY         0x02
-        #define PP2_TYPE_CRC32C            0x03
-        #define PP2_TYPE_NOOP              0x04
-        #define PP2_TYPE_UNIQUE_ID         0x05
-        #define PP2_TYPE_SSL               0x20
-        #define PP2_SUBTYPE_SSL_VERSION    0x21
-        #define PP2_SUBTYPE_SSL_CN         0x22
-        #define PP2_SUBTYPE_SSL_CIPHER     0x23
-        #define PP2_SUBTYPE_SSL_SIG_ALG    0x24
-        #define PP2_SUBTYPE_SSL_KEY_ALG    0x25
-        #define PP2_SUBTYPE_SSL_GROUP      0x26
-        #define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27
-        #define PP2_TYPE_NETNS             0x30
+        #define PP2_TYPE_ALPN               0x01
+        #define PP2_TYPE_AUTHORITY          0x02
+        #define PP2_TYPE_CRC32C             0x03
+        #define PP2_TYPE_NOOP               0x04
+        #define PP2_TYPE_UNIQUE_ID          0x05
+        #define PP2_TYPE_SSL                0x20
+        #define PP2_SUBTYPE_SSL_VERSION     0x21
+        #define PP2_SUBTYPE_SSL_CN          0x22
+        #define PP2_SUBTYPE_SSL_CIPHER      0x23
+        #define PP2_SUBTYPE_SSL_SIG_ALG     0x24
+        #define PP2_SUBTYPE_SSL_KEY_ALG     0x25
+        #define PP2_SUBTYPE_SSL_GROUP       0x26
+        #define PP2_SUBTYPE_SSL_SIG_SCHEME  0x27
+        #define PP2_SUBTYPE_SSL_CLIENT_CERT 0x28
+        #define PP2_TYPE_NETNS              0x30


 2.2.1 PP2_TYPE_ALPN
@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides the US-ASCII string
 name of the algorithm the frontend used to sign the ServerKeyExchange or
 CertificateVerify message, for example "rsa_pss_rsae_sha256".

+The optional second level TLV PP2_SUBTYPE_SSL_CLIENT_CERT provides the raw
+X.509 client certificate encoded in ASN.1 DER. The frontend may choose to omit
+this TLV depending on configuration.
+
 In all cases, the string representation (in UTF8) of the Common Name field
 (OID: 2.5.4.3) of the client certificate's Distinguished Name, is appended
 using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com".