Inserting SSL/TLS Certificate Information into HTTP Headers

January 28, 2016 by author

You can insert quite a number of SSL/TLS related client certificate information into request headers (sent to the real server) like so:

frontend name_here
    bind ...
    reqadd X-SSL:\ %[ssl_fc]
    reqadd X-SSL-Client-Verify:\ %[ssl_c_verify]
    reqadd X-SSL-Client-SHA1:\ %{+Q}[ssl_c_sha1]
    reqadd X-SSL-Client-DN:\ %{+Q}[ssl_c_s_dn]
    reqadd X-SSL-Client-CN:\ %{+Q}[ssl_c_s_dn(cn)]
    reqadd X-SSL-Issuer:\ %{+Q}[ssl_c_i_dn]
    reqadd X-SSL-Client-Not-Before:\ %{+Q}[ssl_c_notbefore]
    reqadd X-SSL-Client-Not-After:\ %{+Q}[ssl_c_notafter]
    default_backend ...

Note: The {+Q} ensures the certificate data is inserted as an ASCII string rather than it’s original binary form (which HTTP does not support).

Here’s what each header and the variable used to populate it’s value contain:

  • ssl_fc/X-SSL : whether the client used a secure connection (1) or not (0)

  • ssl_c_verify/X-SSL-Client-Verify : the status code of the SSL client connection (I think 0 is good)

  • ssl_c_sha1/X-SSL-Client-SHA1 : the SHA1 hash of the client certificate

  • ssl_c_s_dn/X-SSL-Client-DN : the full Distinguished Name of the client certificate

  • ssl_c_s_dn(cn)/X-SSL-Client-CN : the full Common Name of the client certificate

  • ssl_c_i_dn/X-SSL-Issuer : the full Distinguished Name of the issuing certificate

  • ssl_c_notbefore/X-SSL-Client-Not-Before : the date from which the client certificate is valid, in this format: YYMMDDhhmmss

  • ssl_c_notafter/X-SSL-Client-Not-After : the date after which the certificate is no longer valid, in this format: YYMMDDhhmmss

© 2015 - 2016 Some Guy. All rights reserved.