Feature #2693



Added by mackyle about 5 years ago. Updated over 3 years ago.

Target version:


SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason".
This is compatible with Apache's mod_ssl variable of the same name.

SSL_CLIENT_S_DN is set to the oneline version of the client certificate
subject's distinguished name and may be used as a setting for the
ssl.verifyclient.username config option. When Apache's mod_ssl is
configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for
the username (that ultimately may end up in REMOTE_USER). The value
that will be set for SSL_CLIENT_S_DN may be determined using the
`openssl x509 -noout -subject -in <cert.pem>` command.

Patch file attached.

See also



Updated by gstrauss over 4 years ago

  • Category changed from core to TLS

Updated by gstrauss over 4 years ago

  • Assignee deleted (stbuehler)
  • Missing in 1.5.x deleted (Yes)

Updated by gstrauss about 4 years ago

  • Status changed from New to Need Feedback
  • Priority changed from Normal to Low

SSL_CLIENT_VERIFY has been implemented.

SSL_CLIENT_S_DN has not been implemented, and I am not quite convinced it is needed when there are other recommended solutions. According to X509_NAME_oneline() (


The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

As an alternative, lighttpd does provide SSL_CLIENT_S_DN_* components, which can be used with e.g.
ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"

Is there still a desire to have lighttpd provide SSL_CLIENT_S_DN, given the limitations described above, as well as the alternatives available?

--- a/src/response.c
+++ b/src/response.c
@@ -180,6 +180,16 @@ static void https_add_ssl_client_entries(server *srv, connection *con) {

+               char *s_dn = X509_NAME_oneline(xn, NULL, 0);
+               if (NULL != s_dn) {
+                       array_set_key_value(con->environment,
+                                           CONST_STR_LEN("SSL_CLIENT_S_DN"),
+                                           s_dn, strlen(s_dn));
+                       OPENSSL_free(s_dn);
+               }
+       }
+       {
                ASN1_INTEGER *xsn = X509_get_serialNumber(xs);
                BIGNUM *serialBN = ASN1_INTEGER_to_BN(xsn, NULL);
                char *serialHex = BN_bn2hex(serialBN);

Updated by gstrauss about 4 years ago

Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.


Updated by gstrauss about 4 years ago

If this feature is still desired, please see what was posted on over two months ago:

Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result.


Updated by gstrauss over 3 years ago

  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.x to 1.4.46

Updated by gstrauss over 3 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom