On 01/21/2015 11:37 PM, Phillip Decker wrote:
Hello, I'm writing with regard to the current delimiter used when haproxy passes the DN as one line from an SSL cert along in the headers to backend servers- Right now, that seems to be hardcoded to a '/' in the ssl_sock.c file, in function ssl_sock_get_dn_oneline(...) on approximately file line 2545: *(p++)='/'; Would anyone mind if we made that a configurable value? We have multiple servers which are expecting the DN entries to be delimited with a comma, ',' as per RFC 1779 (part 2.2 - page two). I'm willing to take a stab at it and submit the diffs, but I acknowledge that I'm new to this community, and I'm not sure the customs/convention. Have a great afternoon everyone! Phillip
Indeed, the ssl_sock_get_dn_oneline uses the same outputs the same string than the openssl function X509_NAME_oneline.
If you want to outputs an RFC 1779 format, you will have to handle more than the separator.
For instance, some fields could contain comma so you have to escape it or to quote the value.
So in my opinion, you will have to code a new fetch keyword and it must escape special chars in values (see rfc 1779 2.2 <special> and <pair>).
R, Emeric
