response.c: set SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN

[mackyle]

SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason".
This is compatible with Apache's mod_ssl variable of the same name.

SSL_CLIENT_S_DN is set to the oneline version of the client certificate
subject's distinguished name and may be used as a setting for the
ssl.verifyclient.username config option. When Apache's mod_ssl is
configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for
the username (that ultimately may end up in REMOTE_USER). The value
that will be set for SSL_CLIENT_S_DN may be determined using the
openssl x509 -noout -subject -in <cert.pem> command.

Signed-off-by: Kyle J. McKay

[gstrauss]

x-ref: https://redmine.lighttpd.net/issues/2693

[gstrauss]

Is there any reason why this is not further up with the code which fills in envds?

[gstrauss]

I added a couple comments inline to the diff. Please review.

I presume that you are using Apache names of SSL_* vars as the convention to follow.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
Is that the case? I have not yet checked other popular web servers (e.g. nginx) or proxies (e.g. haproxy) or caching proxies (e.g. varnish) (and I am sure there are many other popular servers in each of those categories).

While on the subject, of variables, how do you think the values should be encoded? Please see the paragraphs below the env var table in the Environment Variables section, as well as the SSLOptions LegacyDNSStringFormat. What do you think? https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

[gstrauss]

@mackyle have you had a chance to review my feedback? Also, as noted in #62, I plan to review all the TLS-related tickets together so that solutions will not conflict.

[gstrauss]

@mackyle have you had a chance to review my feedback? Also, as noted in #62, I plan to review all the TLS-related tickets together so that solutions will not conflict.

[gstrauss]

@mackyle have you had a chance to review my feedback? Also, as noted in #62, I plan to review all the TLS-related tickets together so that solutions will not conflict.

[gstrauss]

@mackyle have you had a chance to review my feedback? Also, as noted in #62, I plan to review all the TLS-related tickets together so that solutions will not conflict.

[gstrauss]

@mackyle have you had a chance to review my feedback? Also, as noted in #62, I plan to review all the TLS-related tickets together so that solutions will not conflict.

There are additional tickets which request other env vars.

[gstrauss]

above two lines should be part of the SSL_get_verify_result() condition block above to show that the outcome of the test sets SSL_CLIENT_VERIFY depending on the outcome of the condition test.

array_set_key_value() should be preferred over array_insert_unique() when it is desirable to replace an existing entry, if it exists, rather than having it handled by data_string insert_dup(), and perform a list append (combining the values with ", ") (And yes, other code should be modified, too, but that should be handled in a separate pull request)

[gstrauss]

The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result.