search

emqx / esockd

Erlang general non-blocking TCP/SSL socket server
https://www.emqx.com
Apache License 2.0
211 stars 84 forks source link

Can't get peercert subject name in ppv2 #168

Closed HJianBo closed 3 months ago

HJianBo commented 2 years ago

The https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt has not supported the cert Subject Name, but we supported it with Common Name :cry: https://github.com/emqx/esockd/blob/26fffb6caad8f9c9ad6fecc6ac9db232150af39f/src/esockd_peercert.erl#L26-L32

This issue was found while investigating https://github.com/emqx/emqx/issues/9147

zmstone commented 3 months ago

I don't think proxy protocol v2 supports DN (Subject) at all. below are all the supported subtypes:

        #define PP2_SUBTYPE_SSL_VERSION 0x21
        #define PP2_SUBTYPE_SSL_CN      0x22
        #define PP2_SUBTYPE_SSL_CIPHER  0x23
        #define PP2_SUBTYPE_SSL_SIG_ALG 0x24
        #define PP2_SUBTYPE_SSL_KEY_ALG 0x25

ref: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt