TLS connections have a unique identifier called the tls-unique value. This is the content of the last Finished message in the TLS handshake. I would like the tls-unique value to be exposed for SSL connections. So next to e.g. $ssl_client_escaped_cert, I would like to have a variable $ssl_tls_escaped_unique_value so that I can put it into a proxy header.
I suggest urlencoding the value.
Use case:
Implementing RFC-7030 EST requires knowledge of the TLS-unique value of the associated TLS connection. https://tools.ietf.org/html/rfc7030#section-3.5
I would like to implement this protocol behind an NGINX reverse proxy, and I want NGINX to do the TLS termination. Currently I cannot do that because while NGINX does expose the ssl client certificate, it does not yet expose the tls-unique value of the connection.