On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote:
> On Wed, 29 Apr 2026 21:49:29 +0200
> Jan Klemkow <jan@openbsd.org> wrote:
> > I also like this feature and also thought about it in the past.
> > 
> > But, I guess a certificate where the subject is NULL, may crash the
> > httpd?
> 
> Interesting.  Well caught.  I hadn't thought of that, as it makes no
> sense at all to have a *client* certificate without a subject field.
> Nevertheless, RFC 5280 does not prohibit it, so I guess it's possible
> and therefore it makes sense to check for it.
> 
> 
> > tls_peer_cert_subject() can return NULL and fcgi_add_param() does an
> > unchecked memcpy(3) with it.  So, you have to check for a NULL before
> > calling fcgi_add_param().
> 
> Actually fcgi_add_param() would blow up even earlier than that, in the
> call to strlen(3) when initialising val_len.
> 
> I toyed briefly with the idea of putting the check in fcgi_add_param()
> instead to make it more general ... but a quick scan of server_fcgi.c
> shows nowhere else where val might be passed in as NULL, so I've gone
> with your suggestion instead.
> 
> How's this?
> 
> Index: httpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> diff -u -p -r1.129 httpd.conf.5
> --- httpd.conf.5	18 Jan 2026 16:38:02 -0000	1.129
> +++ httpd.conf.5	30 Apr 2026 05:45:07 -0000
> @@ -453,6 +453,14 @@ The revision of the HTTP specification u
>  .It Ic SERVER_SOFTWARE
>  The server software name of
>  .Xr httpd 8 .
> +.It Ic TLS_PEER_SUBJECT
> +The subject
> +.Pq distinguished name
> +of the TLS client certificate
> +.Po
> +omitted when certificate has no subject field or
> +TLS client verification is not in use
> +.Pc .
>  .It Ic TLS_PEER_VERIFY
>  A variable that is set to a comma separated list of TLS client verification
>  features in use
> Index: server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> diff -u -p -r1.100 server_fcgi.c
> --- server_fcgi.c	2 Mar 2026 19:24:58 -0000	1.100
> +++ server_fcgi.c	30 Apr 2026 05:45:07 -0000
> @@ -34,6 +34,8 @@
>  #include <event.h>
>  #include <unistd.h>
>  
> +#include <tls.h>
> +
>  #include "httpd.h"
>  #include "http.h"
>  #include "log.h"
> @@ -99,7 +101,7 @@ server_fcgi(struct httpd *env, struct cl
>  	size_t				 scriptlen;
>  	int				 pathlen;
>  	int				 fd = -1, ret;
> -	const char			*stripped, *alias, *errstr = NULL;
> +	const char			*stripped, *alias, *dn, *errstr = NULL;
>  	char				*query_alias, *str, *script = NULL;
>  
>  	if ((fd = socket(srv_conf->fastcgi_ss.ss_family,
> @@ -272,6 +274,14 @@ server_fcgi(struct httpd *env, struct cl
>  		    TLSFLAG_BITS), clt) == -1) {
>  			errstr = "failed to encode param";
>  			goto fail;
> +		}
> +		if (tls_peer_cert_provided(clt->clt_tls_ctx)) {
> +			dn = tls_peer_cert_subject(clt->clt_tls_ctx);
> +			if (dn != NULL && fcgi_add_param(&param,
> +			    "TLS_PEER_SUBJECT", dn, clt) == -1) {
> +				errstr = "failed to encode param";
> +				goto fail;
> +			}
>  		}
>  	}

Is it really an error if dn == NULL or should the code simply omit adding
the TLS_PEER_SUBJECT?

-- 
:wq Claudio