This change adds the PP2_SUBTYPE_SSL_GROUP and PP2_SUBTYPE_SSL_SIG_SCHEME code point reservations in proxy_protocol.txt. The motivation for adding these two TLVs is for backend visibility into the negotiated TLS key exchange group and handshake signature scheme.
Demand for visibility is expected to increase as endpoints migrate to use new Post-Quantum resistant algorithms for key exchange and signatures. --- doc/proxy-protocol.txt | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt index 75a7e1f74..fe96d3b13 100644 --- a/doc/proxy-protocol.txt +++ b/doc/proxy-protocol.txt @@ -28,7 +28,8 @@ Revision history string encoding. With contributions from Andriy Palamarchuk (Amazon.com). 2020/03/05 - added the unique ID TLV type (Tim Düsterhus) - + 2025/09/09 - added SSL-related TLVs for key exchange group and signature + scheme (Steven Collison) 1. Background @@ -535,18 +536,20 @@ the information they choose to publish. The following types have already been registered for the <type> field : - #define PP2_TYPE_ALPN 0x01 - #define PP2_TYPE_AUTHORITY 0x02 - #define PP2_TYPE_CRC32C 0x03 - #define PP2_TYPE_NOOP 0x04 - #define PP2_TYPE_UNIQUE_ID 0x05 - #define PP2_TYPE_SSL 0x20 - #define PP2_SUBTYPE_SSL_VERSION 0x21 - #define PP2_SUBTYPE_SSL_CN 0x22 - #define PP2_SUBTYPE_SSL_CIPHER 0x23 - #define PP2_SUBTYPE_SSL_SIG_ALG 0x24 - #define PP2_SUBTYPE_SSL_KEY_ALG 0x25 - #define PP2_TYPE_NETNS 0x30 + #define PP2_TYPE_ALPN 0x01 + #define PP2_TYPE_AUTHORITY 0x02 + #define PP2_TYPE_CRC32C 0x03 + #define PP2_TYPE_NOOP 0x04 + #define PP2_TYPE_UNIQUE_ID 0x05 + #define PP2_TYPE_SSL 0x20 + #define PP2_SUBTYPE_SSL_VERSION 0x21 + #define PP2_SUBTYPE_SSL_CN 0x22 + #define PP2_SUBTYPE_SSL_CIPHER 0x23 + #define PP2_SUBTYPE_SSL_SIG_ALG 0x24 + #define PP2_SUBTYPE_SSL_KEY_ALG 0x25 + #define PP2_SUBTYPE_SSL_GROUP 0x26 + #define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27 + #define PP2_TYPE_NETNS 0x30 2.2.1 PP2_TYPE_ALPN @@ -661,6 +664,14 @@ of the algorithm used to generate the key of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer, for example "RSA2048". +The second level TLV PP2_SUBTYPE_SSL_GROUP provides the US-ASCII string name of +the key exchange algorithm used for the frontend TLS connection, for example +"secp256r1". + +The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides the US-ASCII string +name of the algorithm the frontend used to sign the ServerKeyExchange or +CertificateVerify message, for example "rsa_pss_rsae_sha256". + In all cases, the string representation (in UTF8) of the Common Name field (OID: 2.5.4.3) of the client certificate's Distinguished Name, is appended using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com". -- 2.39.5 (Apple Git-154)
