From: Jack Burton Subject: [diff] httpd: pass through dn from tls client cert to fcgi To: tech@openbsd.org Date: Sun, 1 Mar 2026 00:21:14 +1030 Expose the client cert DN (as TLS_PEER_SUBJECT) to fastcgi responders, so that TLS client certs can be used for authorisation (not just for authentication). This is a scaled-down version of a patch I proposed some years ago[1]. That version also passed through the {issuer,serial} tuple (that identifies any certificate uniquely), which made it rather more intrusive ... and I assume that's why it wasn't accepted at the time. All the recent activity in httpd reminded me that I should really get around to having another go at getting it in the tree. Today's version passes through only the DN, which I'm hoping makes it unobtrusive enough to consider. That's the bare minimum to make TLS clients certs usable by fastcgi responders for authorisation purposes and will suffice in most scenarios, as it identifies the entity to whom the certificate was issued. It does *not* differentiate between multiple valid client certs issued to the same entity (whereas the patch in [1] did) ... but in the real world the proportion of authorisation processes that genuinely need to care about such things is fairly low (identifying the entity is usually enough to make an authorisation decision). Thoughts? [1] https://marc.info/?l=openbsd-tech&m=153112641425436&w=2 Index: usr.sbin/httpd/httpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v diff -u -p -r1.129 httpd.conf.5 --- usr.sbin/httpd/httpd.conf.5 18 Jan 2026 16:38:02 -0000 1.129 +++ usr.sbin/httpd/httpd.conf.5 28 Feb 2026 12:52:15 -0000 @@ -453,6 +453,11 @@ The revision of the HTTP specification u .It Ic SERVER_SOFTWARE The server software name of .Xr httpd 8 . +.It Ic TLS_PEER_SUBJECT +The subject +.Pq distinguished name +of the TLS client certficate +.Pq omitted when TLS client verification is not in use . .It Ic TLS_PEER_VERIFY A variable that is set to a comma separated list of TLS client verification features in use Index: usr.sbin/httpd/server_fcgi.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v diff -u -p -r1.99 server_fcgi.c --- usr.sbin/httpd/server_fcgi.c 2 Jan 2026 08:45:16 -0000 1.99 +++ usr.sbin/httpd/server_fcgi.c 28 Feb 2026 12:52:15 -0000 @@ -34,6 +34,8 @@ #include #include +#include + #include "httpd.h" #include "http.h" @@ -269,6 +271,12 @@ server_fcgi(struct httpd *env, struct cl if (srv_conf->tls_flags != 0 && fcgi_add_param(¶m, "TLS_PEER_VERIFY", printb_flags(srv_conf->tls_flags, TLSFLAG_BITS), clt) == -1) { + errstr = "failed to encode param"; + goto fail; + } + if (tls_peer_cert_provided(clt->clt_tls_ctx) && + fcgi_add_param(¶m, "TLS_PEER_SUBJECT", + tls_peer_cert_subject(clt->clt_tls_ctx), clt) == -1) { errstr = "failed to encode param"; goto fail; }