Quick ping.

Any further thoughts on this?

On Sun, 1 Mar 2026 00:21:14 +1030
Jack Burton <jack@saosce.com.au> wrote:

> Expose the client cert DN (as TLS_PEER_SUBJECT) to fastcgi responders,
> so that TLS client certs can be used for authorisation (not just for
> authentication).
> 
> This is a scaled-down version of a patch I proposed some years ago[1].
> That version also passed through the {issuer,serial} tuple (that
> identifies any certificate uniquely), which made it rather more
> intrusive ... and I assume that's why it wasn't accepted at the time.
> 
> All the recent activity in httpd reminded me that I should really
> get around to having another go at getting it in the tree.
> 
> Today's version passes through only the DN, which I'm hoping makes it
> unobtrusive enough to consider.  That's the bare minimum to make TLS
> clients certs usable by fastcgi responders for authorisation purposes
> and will suffice in most scenarios, as it identifies the entity to
> whom the certificate was issued.
> 
> It does *not* differentiate between multiple valid client certs issued
> to the same entity (whereas the patch in [1] did) ... but in the real
> world the proportion of authorisation processes that genuinely need to
> care about such things is fairly low (identifying the entity is
> usually enough to make an authorisation decision).
> 
> Thoughts?
> 
> [1] https://marc.info/?l=openbsd-tech&m=153112641425436&w=2
> 
> Index: usr.sbin/httpd/httpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> diff -u -p -r1.129 httpd.conf.5
> --- usr.sbin/httpd/httpd.conf.5	18 Jan 2026 16:38:02
> -0000	1.129 +++ usr.sbin/httpd/httpd.conf.5	28 Feb 2026
> 12:52:15 -0000 @@ -453,6 +453,11 @@ The revision of the HTTP
> specification u .It Ic SERVER_SOFTWARE
>  The server software name of
>  .Xr httpd 8 .
> +.It Ic TLS_PEER_SUBJECT
> +The subject
> +.Pq distinguished name
> +of the TLS client certficate
> +.Pq omitted when TLS client verification is not in use .
>  .It Ic TLS_PEER_VERIFY
>  A variable that is set to a comma separated list of TLS client
> verification features in use
> Index: usr.sbin/httpd/server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> diff -u -p -r1.99 server_fcgi.c
> --- usr.sbin/httpd/server_fcgi.c	2 Jan 2026 08:45:16
> -0000	1.99 +++ usr.sbin/httpd/server_fcgi.c	28 Feb 2026
> 12:52:15 -0000 @@ -34,6 +34,8 @@
>  #include <event.h>
>  #include <unistd.h>
>  
> +#include <tls.h>
> +
>  #include "httpd.h"
>  #include "http.h"
>  
> @@ -269,6 +271,12 @@ server_fcgi(struct httpd *env, struct cl
>  		if (srv_conf->tls_flags != 0 &&
> fcgi_add_param(&param, "TLS_PEER_VERIFY",
> printb_flags(srv_conf->tls_flags, TLSFLAG_BITS), clt) == -1) {
> +			errstr = "failed to encode param";
> +			goto fail;
> +		}
> +		if (tls_peer_cert_provided(clt->clt_tls_ctx) &&
> +		    fcgi_add_param(&param, "TLS_PEER_SUBJECT",
> +		    tls_peer_cert_subject(clt->clt_tls_ctx), clt) ==
> -1) { errstr = "failed to encode param";
>  			goto fail;
>  		}