From: Jack Burton <jack@saosce.com.au>
Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Jan Klemkow <jan@openbsd.org>, tech@openbsd.org
Date: Thu, 30 Apr 2026 20:39:19 +0930

On Thu, 30 Apr 2026 10:36:10 +0200
Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote:
> > On Wed, 29 Apr 2026 21:49:29 +0200> > +		}
> > +		if (tls_peer_cert_provided(clt->clt_tls_ctx)) {
> > +			dn =
> > tls_peer_cert_subject(clt->clt_tls_ctx);
> > +			if (dn != NULL && fcgi_add_param(&param,
> > +			    "TLS_PEER_SUBJECT", dn, clt) == -1) {
> > +				errstr = "failed to encode param";
> > +				goto fail;
> > +			}
> >  		}
> >  	}  
> 
> Is it really an error if dn == NULL or should the code simply omit
> adding the TLS_PEER_SUBJECT?

dn == NULL does not trigger an error.  In that case (dn != NULL) is
false so the goto statement is never reached.

Perhaps it would more readable with a single conditional statement
instead of two.

How's this?

Index: httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
diff -u -p -r1.129 httpd.conf.5
--- httpd.conf.5	18 Jan 2026 16:38:02 -0000	1.129
+++ httpd.conf.5	30 Apr 2026 11:08:14 -0000
@@ -453,6 +453,14 @@ The revision of the HTTP specification u
 .It Ic SERVER_SOFTWARE
 The server software name of
 .Xr httpd 8 .
+.It Ic TLS_PEER_SUBJECT
+The subject
+.Pq distinguished name
+of the TLS client certificate
+.Po
+omitted when certificate has no subject field or
+TLS client verification is not in use
+.Pc .
 .It Ic TLS_PEER_VERIFY
 A variable that is set to a comma separated list of TLS client verification
 features in use
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
diff -u -p -r1.100 server_fcgi.c
--- server_fcgi.c	2 Mar 2026 19:24:58 -0000	1.100
+++ server_fcgi.c	30 Apr 2026 11:08:14 -0000
@@ -34,6 +34,8 @@
 #include <event.h>
 #include <unistd.h>
 
+#include <tls.h>
+
 #include "httpd.h"
 #include "http.h"
 #include "log.h"
@@ -99,7 +101,7 @@ server_fcgi(struct httpd *env, struct cl
 	size_t				 scriptlen;
 	int				 pathlen;
 	int				 fd = -1, ret;
-	const char			*stripped, *alias, *errstr = NULL;
+	const char			*stripped, *alias, *dn, *errstr = NULL;
 	char				*query_alias, *str, *script = NULL;
 
 	if ((fd = socket(srv_conf->fastcgi_ss.ss_family,
@@ -270,6 +272,12 @@ server_fcgi(struct httpd *env, struct cl
 		if (srv_conf->tls_flags != 0 && fcgi_add_param(&param,
 		    "TLS_PEER_VERIFY", printb_flags(srv_conf->tls_flags,
 		    TLSFLAG_BITS), clt) == -1) {
+			errstr = "failed to encode param";
+			goto fail;
+		}
+		if (tls_peer_cert_provided(clt->clt_tls_ctx) &&
+		    (dn = tls_peer_cert_subject(clt->clt_tls_ctx)) != NULL &&
+		    fcgi_add_param(&param, "TLS_PEER_SUBJECT", dn, clt) == -1) {
 			errstr = "failed to encode param";
 			goto fail;
 		}