TLS Inspector - Client Certificate Subject extraction

[Will Weber]

Hey all!

Would it be possible to use a TLS listener filter to provide a match on a TLS-wrapped client connection's sslsubject?

This is a type of pattern that I've used before with logstash, that ended up looking like this in L7 logic[1]. The linked configuration is accepting traffic from an elastic beats input(not the important bit) which will extract the client certificate subject information from incoming connections(the important bit). This information is passed along with all incoming events and is used in a kind of switch statement logic to decide where events will go.

In the same vein, I'm trying to see it would be possible to use the ssl subject name as a means to route incoming mTLS connections to distinct upstreams.

Thinking along the lines of the SNI example here[2], I feel like it _could_ be possible, with using an extracted client certificate's subject name as the content being matched in the "filter_chain_match" section.

Thanks for the time!

Best,

-Will

[1] https://github.com/vectordotdev/vector/issues/2931#issue-649310652

[2] https://www.envoyproxy.io/docs/envoy/v1.21.1/faq/configuration/sni#faq-how-to-setup-sni