Hello,
I'd like to have X509 peer's cert subject name logged in some form when ca option in httpd.conf is used. That is, we do have X509 verified client accessing web resource. Following patch implements this behavior for combined logging style and for the case http connection is not authenticated by other means. Thanks for review, comments and/or inclusion, Karel diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c index 9b13db2bca4..8291db52311 100644 --- a/usr.sbin/httpd/server_http.c +++ b/usr.sbin/httpd/server_http.c @@ -1712,6 +1712,12 @@ server_log_http(struct client *clt, unsigned int code, size_t len) if (clt->clt_remote_user && stravis(&user, clt->clt_remote_user, HTTPD_LOGVIS) == -1) goto done; + if (clt->clt_remote_user == NULL && + clt->clt_tls_ctx != NULL && + (srv_conf->tls_flags & TLSFLAG_CA) && + stravis(&user, tls_peer_cert_subject(clt->clt_tls_ctx), + HTTPD_LOGVIS) == -1) + goto done; if (desc->http_version && stravis(&version, desc->http_version, HTTPD_LOGVIS) == -1) goto done; @@ -1730,7 +1736,7 @@ server_log_http(struct client *clt, unsigned int code, size_t len) ret = evbuffer_add_printf(clt->clt_log, "%s %s - %s [%s] \"%s %s%s%s%s%s\"" " %03d %zu \"%s\" \"%s\"\n", - srv_conf->name, ip, clt->clt_remote_user == NULL ? "-" : + srv_conf->name, ip, user == NULL ? "-" : user, tstamp, server_httpmethod_byid(desc->http_method), desc->http_path == NULL ? "" : path,