Lighttpd

1. OpenSSL Client Authentication

The OpenSSL client authentication environment variables introduced
allow for fine grain access control to be achieved via external
CGI, FastCGI, and SCGI processes. Enabling client certificate
verification in tandem with these changes enables securing CGI,
FastCGI, and SCGI programs beyond current authentication methods.
This authentication is more desirable than plain username and
password authentication methods.

The following newly introduced CGI environment variables are exported
for usage in authorizing client certificates for the necessary levels
of authorization within CGI, FastCGI, and SCGI processes:

1. SSL_CLIENT_SERIAL_NUMBER: The certificates serial number expressed as a numeric or hexidecimal string.
2. SSL_CLIENT_FINGERPRINT: The certificates SHA fingerprint expressed as a hexidecimal string.
3. SSL_CLIENT_CERT: A boolean flag specifying wether or not a client SSL certificate was present. Valid values are "true" and "false".

1. Usage Example

An example of usage is to completely secure a Drupal installation by
requiring all users of the system to have client certificates and
authorizing the client based on their SSL certificate fingerprint.

In securing the Drupal installation in this way, it becomes nearly
impossible to access the administrative area without having a
client certificate and authorization based on the unique SHA
fingerprint of the client certificate.

When used in this way, Drupal becomes very secure against unwanted
users accessing parts of Drupal they should not.