Hi folks, I'm currently working on coming up with some options to implement a security requirement that makes it necessary for haproxy to force disconnect any clients whose certificate either expires or gets revoked by the CA (via CRL) in midst of an active TCP connection.
The simple and "brute-force" method of implementing this would be setting up a timeout and forcing the client to reconnect and go through TLS handshake again to catch this use case. However, we also have use cases where the TCP connection can be long lived (eg. long-poll/streaming HTTP/gRPC requests and even SSH) and these use cases make the brute-force method problematic for the clients if they aren't able to gracefully handle disconnects. On top of that, given the requirement to support HTTP/2, renegotiation and post-handshake authentication supported by TLSv1.2 and TLSv1.3 respectively would not be possible. After delving into the haproxy configuration to see if this is something haproxy can support out of the box (doesn't seem like it but would love to be proved wrong here), my current thought is that this will require creating a SPOA that's responsible for keeping track of connection sessions, client certificate details like the expiries per session, checking against a CRL, and then having the SPOA to use the shutdown session​ runtime API to forcibly disconnect a client. I wanted to ask this to see if there were approaches or tips others had on how this use case could be handled. Thanks in advance!
