Karel Gardas([email protected]) on 2019.02.01 16:28:17 +0100: > > Hello, > > I'd like to have X509 peer's cert subject name logged in some form when > ca option in httpd.conf is used. That is, we do have X509 verified > client accessing web resource. Following patch implements this > behavior for combined logging style and for the case http connection is > not authenticated by other means. > > Thanks for review, comments and/or inclusion,
i think this is a good idea, but ... > > Karel > > diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c > index 9b13db2bca4..8291db52311 100644 > --- a/usr.sbin/httpd/server_http.c > +++ b/usr.sbin/httpd/server_http.c > @@ -1712,6 +1712,12 @@ server_log_http(struct client *clt, unsigned int code, > size_t len) > if (clt->clt_remote_user && > stravis(&user, clt->clt_remote_user, HTTPD_LOGVIS) == -1) > goto done; > + if (clt->clt_remote_user == NULL && > + clt->clt_tls_ctx != NULL && > + (srv_conf->tls_flags & TLSFLAG_CA) && > + stravis(&user, tls_peer_cert_subject(clt->clt_tls_ctx), tls_peer_cert_subject() can return NULL. > + HTTPD_LOGVIS) == -1) > + goto done; > if (desc->http_version && > stravis(&version, desc->http_version, HTTPD_LOGVIS) == -1) > goto done; > @@ -1730,7 +1736,7 @@ server_log_http(struct client *clt, unsigned int code, > size_t len) > ret = evbuffer_add_printf(clt->clt_log, > "%s %s - %s [%s] \"%s %s%s%s%s%s\"" > " %03d %zu \"%s\" \"%s\"\n", > - srv_conf->name, ip, clt->clt_remote_user == NULL ? "-" : > + srv_conf->name, ip, user == NULL ? "-" : > user, tstamp, > server_httpmethod_byid(desc->http_method), > desc->http_path == NULL ? "" : path, >
