Right off the bat, I want to point out that this is NOT a bug report but rather a feature request/proposal (I don't know whether this is allowed or not ... my apologies if it isn't)
In a nutshell what I would like to have is in the SSL environment variables a new variable that uniquely identifies the client certificate (certificate sha1 fingerprint maybe ?). Imagine a (corporate internal) service that does mTLS user authentication. Now (I presume for financial reasons) the company created its own CA and issued thousands of certificates. I can of course add the internal CA to my known CAs list, and I can check of course the SSL_CLIENT_S_DN_CN name, but I cannot guarantee that the CA plays nice (meaning that they might actually create certificates with the same DN or the same SN ... it actually happened). Now, I already have a small subset of certificates in an LDAP, so what I would like to do is to authorize access based on certificate fingerprint. If I would have the (sha1 ...) fingerprint in a environment variable (let us say SSL_CLIENT_CERT_SHA1) I could do something like : SSLUserName SSL_CLIENT_CERT_SHA1 AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldaps://ldaphost/ou=accounts,dc=test,dc=com?uid" Where of course the ldap uids would be the fingerprints. I hope this would make sense to more people... Rgards
