From: Jan Klemkow <jan@openbsd.org>
Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi
To: Jack Burton <jack@saosce.com.au>
Cc: tech@openbsd.org
Date: Thu, 30 Apr 2026 20:07:58 +0200

On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote:
> On Wed, 29 Apr 2026 21:49:29 +0200
> Jan Klemkow <jan@openbsd.org> wrote:
> > I also like this feature and also thought about it in the past.
> > 
> > But, I guess a certificate where the subject is NULL, may crash the
> > httpd?
> 
> Interesting.  Well caught.  I hadn't thought of that, as it makes no
> sense at all to have a *client* certificate without a subject field.
> Nevertheless, RFC 5280 does not prohibit it, so I guess it's possible
> and therefore it makes sense to check for it.

In this scenario it does not matter, if its legal or not to have a subject-less
client certificate.  The important question is: Can an attacker craft a certificate
which leads to NULL in ->subject, which he can use to DoS the httpd?