From: Nick Porter <nick@portercomputing.co.uk>
Date: Mon, 24 Nov 2025 09:46:54 +0000 (+0000)
Subject: Add client_hello_parse option to enable extraction of Client Hello data
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=454bcb1d4e297b6ea01c72c50d22a2eb81bcdf1c;p=thirdparty%2Ffreeradius-server.git

Add client_hello_parse option to enable extraction of Client Hello data
---

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 562ad3e4d8f..9488c3d002a 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -625,6 +625,17 @@ eap {
 		#
 		ecdh_curve = prime256v1
 
+		#
+		#  client_hello_parse:: Extract attributes from TLS Client Hello
+		#
+		#  For logging / diagnostics it can be beneficial to extract
+		#  data from the TLS Client Hello.
+		#
+		#  These are placed in `session-state` so that they are
+		#  accessible throughout the authentication process.
+		#
+#		client_hello_parse = no
+
 		#
 		#  verify:: Parameters for controlling client cert chain
 		#  verification.
diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h
index 3e881c33ae1..ea5137dd8ba 100644
--- a/src/lib/tls/conf-h
+++ b/src/lib/tls/conf-h
@@ -183,6 +183,7 @@ struct fr_tls_conf_s {
 	bool		verify_certificate;		//!< Does the "verify certificate" section exist.
 	bool		new_session;			//!< Does the "new session" section exist.
 	bool		establish_session;		//!< Does the "establish session" section exist.
+	bool		client_hello_parse;		//!< Should attributes be extracted from Client Hello.
 };
 
 fr_tls_conf_t	*fr_tls_conf_alloc(TALLOC_CTX *ctx);
diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c
index a658fa21ecc..82cca45fb0b 100644
--- a/src/lib/tls/conf.c
+++ b/src/lib/tls/conf.c
@@ -196,6 +196,8 @@ conf_parser_t fr_tls_server_config[] = {
 
 	{ FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
 
+	{ FR_CONF_OFFSET("client_hello_parse", fr_tls_conf_t, client_hello_parse )},
+
 	{ FR_CONF_OFFSET_SUBSECTION("session", 0, fr_tls_conf_t, cache, tls_cache_config) },
 
 	{ FR_CONF_OFFSET_SUBSECTION("verify", 0, fr_tls_conf_t, verify, tls_verify_config) },
diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
index f2a04760271..d8f17992a9d 100644
--- a/src/lib/tls/session.c
+++ b/src/lib/tls/session.c
@@ -1963,6 +1963,10 @@ fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx,
 	SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
 	SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
 
+	if (conf->client_hello_parse) {
+		SSL_CTX_set_client_hello_cb(ssl_ctx, fr_tls_session_client_hello_cb, NULL);
+	}
+
 	tls_session->mtu = conf->fragment_size;
 	if (dynamic_mtu > 100 && dynamic_mtu < tls_session->mtu) {
 		RDEBUG2("Setting fragment_len to %zu from dynamic_mtu", dynamic_mtu);