From: Jack Burton Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi To: Jan Klemkow Cc: tech@openbsd.org Date: Thu, 30 Apr 2026 15:26:20 +0930 On Wed, 29 Apr 2026 21:49:29 +0200 Jan Klemkow wrote: > I also like this feature and also thought about it in the past. > > But, I guess a certificate where the subject is NULL, may crash the > httpd? Interesting. Well caught. I hadn't thought of that, as it makes no sense at all to have a *client* certificate without a subject field. Nevertheless, RFC 5280 does not prohibit it, so I guess it's possible and therefore it makes sense to check for it. > tls_peer_cert_subject() can return NULL and fcgi_add_param() does an > unchecked memcpy(3) with it. So, you have to check for a NULL before > calling fcgi_add_param(). Actually fcgi_add_param() would blow up even earlier than that, in the call to strlen(3) when initialising val_len. I toyed briefly with the idea of putting the check in fcgi_add_param() instead to make it more general ... but a quick scan of server_fcgi.c shows nowhere else where val might be passed in as NULL, so I've gone with your suggestion instead. How's this? Index: httpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v diff -u -p -r1.129 httpd.conf.5 --- httpd.conf.5 18 Jan 2026 16:38:02 -0000 1.129 +++ httpd.conf.5 30 Apr 2026 05:45:07 -0000 @@ -453,6 +453,14 @@ The revision of the HTTP specification u .It Ic SERVER_SOFTWARE The server software name of .Xr httpd 8 . +.It Ic TLS_PEER_SUBJECT +The subject +.Pq distinguished name +of the TLS client certificate +.Po +omitted when certificate has no subject field or +TLS client verification is not in use +.Pc . .It Ic TLS_PEER_VERIFY A variable that is set to a comma separated list of TLS client verification features in use Index: server_fcgi.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v diff -u -p -r1.100 server_fcgi.c --- server_fcgi.c 2 Mar 2026 19:24:58 -0000 1.100 +++ server_fcgi.c 30 Apr 2026 05:45:07 -0000 @@ -34,6 +34,8 @@ #include #include +#include + #include "httpd.h" #include "http.h" #include "log.h" @@ -99,7 +101,7 @@ server_fcgi(struct httpd *env, struct cl size_t scriptlen; int pathlen; int fd = -1, ret; - const char *stripped, *alias, *errstr = NULL; + const char *stripped, *alias, *dn, *errstr = NULL; char *query_alias, *str, *script = NULL; if ((fd = socket(srv_conf->fastcgi_ss.ss_family, @@ -272,6 +274,14 @@ server_fcgi(struct httpd *env, struct cl TLSFLAG_BITS), clt) == -1) { errstr = "failed to encode param"; goto fail; + } + if (tls_peer_cert_provided(clt->clt_tls_ctx)) { + dn = tls_peer_cert_subject(clt->clt_tls_ctx); + if (dn != NULL && fcgi_add_param(¶m, + "TLS_PEER_SUBJECT", dn, clt) == -1) { + errstr = "failed to encode param"; + goto fail; + } } }