Skip to content

Commit

Permalink
Document peer certificate fingerprinting
Browse files Browse the repository at this point in the history
  • Loading branch information
@cmouse
cmouse committed Jan 8, 2025
1 parent 842a8ce commit e938026
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/actions/spelling/allow.txt
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
bitmask
bitmasks
configurations
ccert
DOkv
ede
github
Expand Down
11 changes: 11 additions & 0 deletions data/settings.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10209,6 +10209,17 @@ The most common choices are \`commonName\` and \`x500UniqueIdentifier\`.
Note: [[setting,auth_ssl_username_from_cert]] MUST be enabled.`
},

ssl_peer_certificate_fingerprint_hash: {
default: '',
seealso: [ 'ssl', '[[link,ssl_configuration]]' ],
values: setting_types.STRING,
text: `
An OpenSSL digest algorithm name to use to hash peer certificate names.
Setting this value enables \`ssl_ccert_fp\` and \`ssl_ccert_pubkey_fp\`
availability in [[setting,login_log_format_elements]] and also in authentication
variables. Weak algorithms are explicitly blacklisted, such as MD5.`,
},

ssl_cipher_list: {
default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH (for ssl_server, empty for ssl_client)',
seealso: [ 'ssl', 'ssl_cipher_suites', 'ssl_min_protocol', '[[link,ssl_configuration]]' ],
Expand Down
4 changes: 4 additions & 0 deletions docs/core/settings/variables.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,8 @@ See also:
| `ssl_security` | TLS session security string. If HAProxy is configured and it terminated the TLS connection, contains "(proxied)". |
| `ssl_ja3` | [[link,ssl_ja3]] composed from TLS Client Hello. |
| `ssl_ja3_hash` | MD5 hash from [[link,ssl_ja3]] composed from TLS Client Hello. |
| `ssl_ccert_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate. |
| `ssl_ccert_pubkey_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate public key. |
| `mail_pid` | PID for process that handles the mail session post-login. |
| `original_user` | Same as `user`, except using the original username the client sent before any changes by auth process. With master user logins (also with [[setting,auth_master_user_separator]] based logins),this contains only the original master username. |
| `listener` | Socket listener name as specified in config file, which accepted the client connection. |
Expand Down Expand Up @@ -323,6 +325,8 @@ See also:
| `password` | Cleartext password from cleartext authentication mechanism. |
| `secured` | "TLS" with established SSL/TLS connections, "secured" with secured connections (see: [[setting,ssl]]). Otherwise empty. |
| `ssl_ja3_hash` | MD5 hash from JA3 string composed from TLS Client Hello. |
| `ssl_ccert_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate. |
| `ssl_ccert_pubkey_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate public key. |
| `cert` | "valid" if client had sent a valid client certificate, otherwise empty. |
| `login_user` | For master user logins: Logged in user@domain. |
| `master_user` | For master user logins: The master username. |
Expand Down

0 comments on commit e938026

Please sign in to comment.