DOC: proxy-protocol: Add TLS group and sig scheme TLVs

This change adds the PP2_SUBTYPE_SSL_GROUP and PP2_SUBTYPE_SSL_SIG_SCHEME
code point reservations in proxy_protocol.txt. The motivation for adding
these two TLVs is for backend visibility into the negotiated TLS key
exchange group and handshake signature scheme.

Demand for visibility is expected to increase as endpoints migrate to use
new Post-Quantum resistant algorithms for key exchange and signatures.

diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index 75a7e1f74a01107cfd43a12903e72433a32969ea..fe96d3b13b016c4f6c22f62525b50a7ee1ff2c42 100644 (file)
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -28,7 +28,8 @@ Revision history
                 string encoding. With contributions from Andriy Palamarchuk
                 (Amazon.com).
    2020/03/05 - added the unique ID TLV type (Tim Düsterhus)
-
+   2025/09/09 - added SSL-related TLVs for key exchange group and signature
+                scheme (Steven Collison)
 
 1. Background
 
@@ -535,18 +536,20 @@ the information they choose to publish.
 
 The following types have already been registered for the <type> field :
 
-        #define PP2_TYPE_ALPN           0x01
-        #define PP2_TYPE_AUTHORITY      0x02
-        #define PP2_TYPE_CRC32C         0x03
-        #define PP2_TYPE_NOOP           0x04
-        #define PP2_TYPE_UNIQUE_ID      0x05
-        #define PP2_TYPE_SSL            0x20
-        #define PP2_SUBTYPE_SSL_VERSION 0x21
-        #define PP2_SUBTYPE_SSL_CN      0x22
-        #define PP2_SUBTYPE_SSL_CIPHER  0x23
-        #define PP2_SUBTYPE_SSL_SIG_ALG 0x24
-        #define PP2_SUBTYPE_SSL_KEY_ALG 0x25
-        #define PP2_TYPE_NETNS          0x30
+        #define PP2_TYPE_ALPN              0x01
+        #define PP2_TYPE_AUTHORITY         0x02
+        #define PP2_TYPE_CRC32C            0x03
+        #define PP2_TYPE_NOOP              0x04
+        #define PP2_TYPE_UNIQUE_ID         0x05
+        #define PP2_TYPE_SSL               0x20
+        #define PP2_SUBTYPE_SSL_VERSION    0x21
+        #define PP2_SUBTYPE_SSL_CN         0x22
+        #define PP2_SUBTYPE_SSL_CIPHER     0x23
+        #define PP2_SUBTYPE_SSL_SIG_ALG    0x24
+        #define PP2_SUBTYPE_SSL_KEY_ALG    0x25
+        #define PP2_SUBTYPE_SSL_GROUP      0x26
+        #define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27
+        #define PP2_TYPE_NETNS             0x30
 
 
 2.2.1 PP2_TYPE_ALPN
@@ -661,6 +664,14 @@ of the algorithm used to generate the key of the certificate presented by the
 frontend when the incoming connection was made over an SSL/TLS transport layer,
 for example "RSA2048".
 
+The second level TLV PP2_SUBTYPE_SSL_GROUP provides the US-ASCII string name of
+the key exchange algorithm used for the frontend TLS connection, for example
+"secp256r1".
+
+The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides the US-ASCII string
+name of the algorithm the frontend used to sign the ServerKeyExchange or
+CertificateVerify message, for example "rsa_pss_rsae_sha256".
+
 In all cases, the string representation (in UTF8) of the Common Name field
 (OID: 2.5.4.3) of the client certificate's Distinguished Name, is appended
 using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com".