Index | Thread | Search

From:
Jack Burton <jack@saosce.com.au>
Subject:
Re: [diff] httpd: pass through dn from tls client cert to fcgi
To:
Jan Klemkow <jan@openbsd.org>
Cc:
tech@openbsd.org
Date:
Thu, 30 Apr 2026 15:26:20 +0930

Download raw body.

Thread 
On Wed, 29 Apr 2026 21:49:29 +0200
Jan Klemkow <jan@openbsd.org> wrote:
> I also like this feature and also thought about it in the past.
> 
> But, I guess a certificate where the subject is NULL, may crash the
> httpd?

Interesting.  Well caught.  I hadn't thought of that, as it makes no
sense at all to have a *client* certificate without a subject field.
Nevertheless, RFC 5280 does not prohibit it, so I guess it's possible
and therefore it makes sense to check for it.


> tls_peer_cert_subject() can return NULL and fcgi_add_param() does an
> unchecked memcpy(3) with it.  So, you have to check for a NULL before
> calling fcgi_add_param().

Actually fcgi_add_param() would blow up even earlier than that, in the
call to strlen(3) when initialising val_len.

I toyed briefly with the idea of putting the check in fcgi_add_param()
instead to make it more general ... but a quick scan of server_fcgi.c
shows nowhere else where val might be passed in as NULL, so I've gone
with your suggestion instead.

How's this?

Index: httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
diff -u -p -r1.129 httpd.conf.5
--- httpd.conf.5	18 Jan 2026 16:38:02 -0000	1.129
+++ httpd.conf.5	30 Apr 2026 05:45:07 -0000
@@ -453,6 +453,14 @@ The revision of the HTTP specification u
 .It Ic SERVER_SOFTWARE
 The server software name of
 .Xr httpd 8 .
+.It Ic TLS_PEER_SUBJECT
+The subject
+.Pq distinguished name
+of the TLS client certificate
+.Po
+omitted when certificate has no subject field or
+TLS client verification is not in use
+.Pc .
 .It Ic TLS_PEER_VERIFY
 A variable that is set to a comma separated list of TLS client verification
 features in use
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
diff -u -p -r1.100 server_fcgi.c
--- server_fcgi.c	2 Mar 2026 19:24:58 -0000	1.100
+++ server_fcgi.c	30 Apr 2026 05:45:07 -0000
@@ -34,6 +34,8 @@
 #include <event.h>
 #include <unistd.h>
 
+#include <tls.h>
+
 #include "httpd.h"
 #include "http.h"
 #include "log.h"
@@ -99,7 +101,7 @@ server_fcgi(struct httpd *env, struct cl
 	size_t				 scriptlen;
 	int				 pathlen;
 	int				 fd = -1, ret;
-	const char			*stripped, *alias, *errstr = NULL;
+	const char			*stripped, *alias, *dn, *errstr = NULL;
 	char				*query_alias, *str, *script = NULL;
 
 	if ((fd = socket(srv_conf->fastcgi_ss.ss_family,
@@ -272,6 +274,14 @@ server_fcgi(struct httpd *env, struct cl
 		    TLSFLAG_BITS), clt) == -1) {
 			errstr = "failed to encode param";
 			goto fail;
+		}
+		if (tls_peer_cert_provided(clt->clt_tls_ctx)) {
+			dn = tls_peer_cert_subject(clt->clt_tls_ctx);
+			if (dn != NULL && fcgi_add_param(&param,
+			    "TLS_PEER_SUBJECT", dn, clt) == -1) {
+				errstr = "failed to encode param";
+				goto fail;
+			}
 		}
 	}