I'd like to add metadata to logs from different clients based on which certificate they used to connect.
Proposed solution
Add a new ${.tls.x509} macro with the fingerprint of the certificate. Ideally something more secure than sha-1, see #4976.
For performance reasons, it might make sense to only add that if trusted-keys() is used. For security reasons, it probably makes sense to add that from the exact same calculation that's used to check trusted-keys().
Alternatives
I'm pretty sure I can use .tls.x509_cn since I control the certificates, instead of adding the metadata I want based on the fingerprint. But fingerprints are easier to work with, since I don't have to trust that the host that generated the certificate put the right thing in the CN field.
Description of the problem
I'd like to add metadata to logs from different clients based on which certificate they used to connect.
Proposed solution
Add a new
${.tls.x509}
macro with the fingerprint of the certificate. Ideally something more secure than sha-1, see #4976.For performance reasons, it might make sense to only add that if
trusted-keys()
is used. For security reasons, it probably makes sense to add that from the exact same calculation that's used to checktrusted-keys()
.Alternatives
I'm pretty sure I can use
.tls.x509_cn
since I control the certificates, instead of adding the metadata I want based on the fingerprint. But fingerprints are easier to work with, since I don't have to trust that the host that generated the certificate put the right thing in the CN field.Additional context
None I can think of.