Identify TLS client authentication


The tls.client_auth.mode option can make TLS client authentication optional.
Is there a way to distinguish authenticated request and unauthenticated request?

For example, something like Request Matchers.

Looks like the JSON docs are currently down (because they’re dynamically generated, and the API backend is down), so I’ll copy the table from the code that contains the list of placeholders that are available for TLS information:

Placeholder Description
{http.request.tls.version} The TLS version name
{http.request.tls.cipher_suite} The TLS cipher suite
{http.request.tls.resumed} The TLS connection resumed a previous connection
{http.request.tls.proto} The negotiated next protocol
{http.request.tls.proto_mutual} The negotiated next protocol was advertised by the server
{http.request.tls.server_name} The server name requested by the client, if any
{http.request.tls.client.fingerprint} The SHA256 checksum of the client certificate
{http.request.tls.client.public_key} The public key of the client certificate.
{http.request.tls.client.public_key_sha256} The SHA256 checksum of the client’s public key.
{http.request.tls.client.issuer} The issuer DN of the client certificate
{http.request.tls.client.serial} The serial number of the client certificate
{http.request.tls.client.subject} The subject DN of the client certificate
{http.request.tls.client.san.dns_names.*} SAN DNS names(index optional)
{http.request.tls.client.san.emails.*} SAN email addresses (index optional)
{http.request.tls.client.san.ips.*} SAN IP addresses (index optional)
{http.request.tls.client.san.uris.*} SAN URIs (index optional)

You could pair any of these placeholders with an expression matcher to match on any of this information. You could have a whitelist of subject names or fingerprints and check whether the placeholder is contained in that list.

I don’t think there’s a boolean “client authenticated” placeholder, but that could probably be added quite easily.

/cc @matt

1 Like

Fixed the docs… the CockroachDB process died again.

This topic was automatically closed after 30 days. New replies are no longer allowed.