From: Jack Burton Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi To: Jan Klemkow Cc: tech@openbsd.org Date: Fri, 1 May 2026 15:05:28 +0930 On Thu, 30 Apr 2026 20:07:58 +0200 Jan Klemkow wrote: > On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote: > > On Wed, 29 Apr 2026 21:49:29 +0200 > > Jan Klemkow wrote: > > > I also like this feature and also thought about it in the past. > > > > > > But, I guess a certificate where the subject is NULL, may crash > > > the httpd? > > > > Interesting. Well caught. I hadn't thought of that, as it makes no > > sense at all to have a *client* certificate without a subject field. > > Nevertheless, RFC 5280 does not prohibit it, so I guess it's > > possible and therefore it makes sense to check for it. > > In this scenario it does not matter, if its legal or not to have a > subject-less client certificate. The important question is: Can an > attacker craft a certificate which leads to NULL in ->subject, which > he can use to DoS the httpd? Yes, too true (although I'd suggest that both matter: a deliberate, malicious DoS and a DoS caused by user error each have the same end result). The most recent 3 versions of the diff I posted all address your concern (NULL subject no longer causes a crash, nor any error; instead it just gets ignored). Are any of those suitable?