log X509 peer's cert subject name when tls client authentication is used,

in the same way as the http authenticated username is loged.
From Karel Gardas, gardask at gmail dot com, Thanks!
ok florian@

1 files changed, 9 insertions, 2 deletions

diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index 9b13db2bca4..6c8549d2b41 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_http.c,v 1.128 2018/12/04 18:12:08 florian Exp $	*/
+/*	$OpenBSD: server_http.c,v 1.129 2019/02/10 13:41:27 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2018 Reyk Floeter <reyk@openbsd.org>
@@ -1712,6 +1712,13 @@ server_log_http(struct client *clt, unsigned int code, size_t len)
 		if (clt->clt_remote_user &&
 		    stravis(&user, clt->clt_remote_user, HTTPD_LOGVIS) == -1)
 			goto done;
+		if (clt->clt_remote_user == NULL &&
+		    clt->clt_tls_ctx != NULL &&
+		    (srv_conf->tls_flags & TLSFLAG_CA) &&
+		    tls_peer_cert_subject(clt->clt_tls_ctx) != NULL &&
+		    stravis(&user, tls_peer_cert_subject(clt->clt_tls_ctx),
+				HTTPD_LOGVIS) == -1)
+			goto done;
 		if (desc->http_version &&
 		    stravis(&version, desc->http_version, HTTPD_LOGVIS) == -1)
 			goto done;
@@ -1730,7 +1737,7 @@ server_log_http(struct client *clt, unsigned int code, size_t len)
 		ret = evbuffer_add_printf(clt->clt_log,
 		    "%s %s - %s [%s] \"%s %s%s%s%s%s\""
 		    " %03d %zu \"%s\" \"%s\"\n",
-		    srv_conf->name, ip, clt->clt_remote_user == NULL ? "-" :
+		    srv_conf->name, ip, user == NULL ? "-" :
 		    user, tstamp,
 		    server_httpmethod_byid(desc->http_method),
 		    desc->http_path == NULL ? "" : path,