On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote:
> On Wed, 29 Apr 2026 21:49:29 +0200
> Jan Klemkow <jan@openbsd.org> wrote:
> > I also like this feature and also thought about it in the past.
> > 
> > But, I guess a certificate where the subject is NULL, may crash the
> > httpd?
> 
> Interesting.  Well caught.  I hadn't thought of that, as it makes no
> sense at all to have a *client* certificate without a subject field.
> Nevertheless, RFC 5280 does not prohibit it, so I guess it's possible
> and therefore it makes sense to check for it.

In this scenario it does not matter, if its legal or not to have a subject-less
client certificate.  The important question is: Can an attacker craft a certificate
which leads to NULL in ->subject, which he can use to DoS the httpd?