TLS connections have a unique identifier called the tls-unique value. This is the content of the last Finished message in the TLS handshake. I would like the tls-unique value to be exposed for SSL connections. So next to e.g. $ssl_client_escaped_cert, I would like to have a variable $ssl_tls_escaped_unique_value so that I can put it into a proxy header.

I suggest urlencoding the value.


Use case:

Implementing RFC-7030 EST requires knowledge of the TLS-unique value of the associated TLS connection. https://tools.ietf.org/html/rfc7030#section-3.5


I would like to implement this protocol behind an NGINX reverse proxy, and I want NGINX to do the TLS termination. Currently I cannot do that because while NGINX does expose the ssl client certificate, it does not yet expose the tls-unique value of the connection.

I would also like this feature, for exactly the same reason.

Also note that tls-unique is to be Base64-encoded. Additional URL encoding should not be necessary.

I have submitted a patch to the nginx-devel mailing list to expose the last Finished message as returned from OpenSSL SSL_get_peer_finished() as a new configuration variable, $ssl_client_tls_bind.

The value returned in this variable may be used in TLS channel binding operations as described in RFC 5929 (TLSv1.2) and RFC 9266 (TLSv1.3).