Allow logging of client's SSL certificate DN

Hiroki Hashimoto
21 April 2018, 20:14
Access logs currently do not show a client's certificate DN in forced client SSL certificate mode (RequiredCA). It is up for grabs to 'guesstimate' who the actual requester of a HTTP request was. Could this functionality be added to included in one of the logging formats (We currently use the hiawatha log format) ?

Additionally, or alternatively, a configuration directive could be added to populate the 'REMOTE_USER' HTTP header with the client's certificate common name.

Ideally both the first and second request would become possible within Hiawatha of course
Hugo Leisink
21 April 2018, 21:18
I'll think about the DN in the logfile.

There is no REMOTE_USER HTTP header. I guess you mean the REMOTE_USER CGI environment variable? In that case, look at the TLS_SUBJECT_DN variable. Also check out the other TLS_* variables.
Hiroki Hashimoto
21 April 2018, 23:24
Apologies, I was actually referring to the access log field that contains the user name determined by HTTP authentication, if applicable. In this scenario no CGI comes to play. Hiawatha is simply proxying requests to locally hosted endpoints. I'm looking specifically for the subject's DN / or common name to end up in the access logs as they are being offloaded to an aggregator for analysis, reporting and security compliancy purposes.

An example of described functionality (using NGINX unfortunately) can be found here:
Hugo Leisink
25 April 2018, 13:58
I'll think about it. No promises yet.
This topic has been closed.