From: Jack Burton <jack@saosce.com.au>
Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi
To: Rafael Sadowski <rafael@sizeofvoid.org>
Cc: tech@openbsd.org
Date: Sun, 1 Mar 2026 14:42:14 +1030

On Sat, 28 Feb 2026 17:26:01 +0100
Rafael Sadowski <rafael@sizeofvoid.org> wrote:
> On Sun Mar 01, 2026 at 12:21:14AM +1030, Jack Burton wrote:
> > Expose the client cert DN (as TLS_PEER_SUBJECT) to fastcgi
> > responders, so that TLS client certs can be used for authorisation
> > (not just for authentication).
...
> > Thoughts?  
> 
> Useful!

Thanks; good to hear!

...
> > +of the TLS client certficate  
> 
> s/certficate/certificate/

Well caught.  Thanks.  Here's an updated diff with that typo fixed.

Index: usr.sbin/httpd/httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
diff -u -p -r1.129 httpd.conf.5
--- usr.sbin/httpd/httpd.conf.5	18 Jan 2026 16:38:02 -0000	1.129
+++ usr.sbin/httpd/httpd.conf.5	1 Mar 2026 04:08:43 -0000
@@ -453,6 +453,11 @@ The revision of the HTTP specification u
 .It Ic SERVER_SOFTWARE
 The server software name of
 .Xr httpd 8 .
+.It Ic TLS_PEER_SUBJECT
+The subject
+.Pq distinguished name
+of the TLS client certificate
+.Pq omitted when TLS client verification is not in use .
 .It Ic TLS_PEER_VERIFY
 A variable that is set to a comma separated list of TLS client verification
 features in use
Index: usr.sbin/httpd/server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
diff -u -p -r1.99 server_fcgi.c
--- usr.sbin/httpd/server_fcgi.c	2 Jan 2026 08:45:16 -0000	1.99
+++ usr.sbin/httpd/server_fcgi.c	1 Mar 2026 04:08:43 -0000
@@ -34,6 +34,8 @@
 #include <event.h>
 #include <unistd.h>
 
+#include <tls.h>
+
 #include "httpd.h"
 #include "http.h"
 
@@ -269,6 +271,12 @@ server_fcgi(struct httpd *env, struct cl
 		if (srv_conf->tls_flags != 0 && fcgi_add_param(&param,
 		    "TLS_PEER_VERIFY", printb_flags(srv_conf->tls_flags,
 		    TLSFLAG_BITS), clt) == -1) {
+			errstr = "failed to encode param";
+			goto fail;
+		}
+		if (tls_peer_cert_provided(clt->clt_tls_ctx) &&
+		    fcgi_add_param(&param, "TLS_PEER_SUBJECT",
+		    tls_peer_cert_subject(clt->clt_tls_ctx), clt) == -1) {
 			errstr = "failed to encode param";
 			goto fail;
 		}