Hello,
I'd like to have X509 peer's cert subject name logged in some form when
ca option in httpd.conf is used. That is, we do have X509 verified
client accessing web resource. Following patch implements this
behavior for combined logging style and for the case http connection is
not authenticated by other means.
Thanks for review, comments and/or inclusion,
Karel
diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index 9b13db2bca4..8291db52311 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1712,6 +1712,12 @@ server_log_http(struct client *clt, unsigned int code,
size_t len)
if (clt->clt_remote_user &&
stravis(&user, clt->clt_remote_user, HTTPD_LOGVIS) == -1)
goto done;
+ if (clt->clt_remote_user == NULL &&
+ clt->clt_tls_ctx != NULL &&
+ (srv_conf->tls_flags & TLSFLAG_CA) &&
+ stravis(&user, tls_peer_cert_subject(clt->clt_tls_ctx),
+ HTTPD_LOGVIS) == -1)
+ goto done;
if (desc->http_version &&
stravis(&version, desc->http_version, HTTPD_LOGVIS) == -1)
goto done;
@@ -1730,7 +1736,7 @@ server_log_http(struct client *clt, unsigned int code,
size_t len)
ret = evbuffer_add_printf(clt->clt_log,
"%s %s - %s [%s] \"%s %s%s%s%s%s\""
" %03d %zu \"%s\" \"%s\"\n",
- srv_conf->name, ip, clt->clt_remote_user == NULL ? "-" :
+ srv_conf->name, ip, user == NULL ? "-" :
user, tstamp,
server_httpmethod_byid(desc->http_method),
desc->http_path == NULL ? "" : path,
