+∞ … though the downside is that they're somewhat annoying to deal with in reverse proxy situations, e.g. large clouds where TLS termination is a separate service in front.
(You'd need to stick the DN in a trusted header, similar to the original IP address in X-Forwarded-For:)
(You'd need to stick the DN in a trusted header, similar to the original IP address in X-Forwarded-For:)