From: Claudio Jeker Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi To: Jack Burton Cc: Jan Klemkow , tech@openbsd.org Date: Thu, 30 Apr 2026 10:36:10 +0200 On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote: > On Wed, 29 Apr 2026 21:49:29 +0200 > Jan Klemkow wrote: > > I also like this feature and also thought about it in the past. > > > > But, I guess a certificate where the subject is NULL, may crash the > > httpd? > > Interesting. Well caught. I hadn't thought of that, as it makes no > sense at all to have a *client* certificate without a subject field. > Nevertheless, RFC 5280 does not prohibit it, so I guess it's possible > and therefore it makes sense to check for it. > > > > tls_peer_cert_subject() can return NULL and fcgi_add_param() does an > > unchecked memcpy(3) with it. So, you have to check for a NULL before > > calling fcgi_add_param(). > > Actually fcgi_add_param() would blow up even earlier than that, in the > call to strlen(3) when initialising val_len. > > I toyed briefly with the idea of putting the check in fcgi_add_param() > instead to make it more general ... but a quick scan of server_fcgi.c > shows nowhere else where val might be passed in as NULL, so I've gone > with your suggestion instead. > > How's this? > > Index: httpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v > diff -u -p -r1.129 httpd.conf.5 > --- httpd.conf.5 18 Jan 2026 16:38:02 -0000 1.129 > +++ httpd.conf.5 30 Apr 2026 05:45:07 -0000 > @@ -453,6 +453,14 @@ The revision of the HTTP specification u > .It Ic SERVER_SOFTWARE > The server software name of > .Xr httpd 8 . > +.It Ic TLS_PEER_SUBJECT > +The subject > +.Pq distinguished name > +of the TLS client certificate > +.Po > +omitted when certificate has no subject field or > +TLS client verification is not in use > +.Pc . > .It Ic TLS_PEER_VERIFY > A variable that is set to a comma separated list of TLS client verification > features in use > Index: server_fcgi.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v > diff -u -p -r1.100 server_fcgi.c > --- server_fcgi.c 2 Mar 2026 19:24:58 -0000 1.100 > +++ server_fcgi.c 30 Apr 2026 05:45:07 -0000 > @@ -34,6 +34,8 @@ > #include > #include > > +#include > + > #include "httpd.h" > #include "http.h" > #include "log.h" > @@ -99,7 +101,7 @@ server_fcgi(struct httpd *env, struct cl > size_t scriptlen; > int pathlen; > int fd = -1, ret; > - const char *stripped, *alias, *errstr = NULL; > + const char *stripped, *alias, *dn, *errstr = NULL; > char *query_alias, *str, *script = NULL; > > if ((fd = socket(srv_conf->fastcgi_ss.ss_family, > @@ -272,6 +274,14 @@ server_fcgi(struct httpd *env, struct cl > TLSFLAG_BITS), clt) == -1) { > errstr = "failed to encode param"; > goto fail; > + } > + if (tls_peer_cert_provided(clt->clt_tls_ctx)) { > + dn = tls_peer_cert_subject(clt->clt_tls_ctx); > + if (dn != NULL && fcgi_add_param(¶m, > + "TLS_PEER_SUBJECT", dn, clt) == -1) { > + errstr = "failed to encode param"; > + goto fail; > + } > } > } Is it really an error if dn == NULL or should the code simply omit adding the TLS_PEER_SUBJECT? -- :wq Claudio