expose tls-unique value
January 21, 2020 08:09AM
TLS connections have a unique identifier called the tls-unique value. This is the content of the last Finished message in the TLS handshake. I would like the tls-unique value to be exposed for SSL connections. So next to e.g. $ssl_client_escaped_cert, I would like to have a variable $ssl_tls_escaped_unique_value so that I can put it into a proxy header.

I suggest urlencoding the value.

Use case:

Implementing RFC-7030 EST requires knowledge of the TLS-unique value of the associated TLS connection. https://tools.ietf.org/html/rfc7030#section-3.5

I would like to implement this protocol behind an NGINX reverse proxy, and I want NGINX to do the TLS termination. Currently I cannot do that because while NGINX does expose the ssl client certificate, it does not yet expose the tls-unique value of the connection.
Re: expose tls-unique value
July 14, 2023 08:08AM
I would also like this feature, for exactly the same reason.
Re: expose tls-unique value
July 18, 2023 08:29AM
Also note that tls-unique is to be Base64-encoded. Additional URL encoding should not be necessary.
Re: expose tls-unique value
December 15, 2023 02:12AM
I have submitted a patch to the nginx-devel mailing list to expose the last Finished message as returned from OpenSSL SSL_get_peer_finished() as a new configuration variable, $ssl_client_tls_bind.

The value returned in this variable may be used in TLS channel binding operations as described in RFC 5929 (TLSv1.2) and RFC 9266 (TLSv1.3).
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 358
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready