Forum

Access logs currently do not show a client's certificate DN in forced client SSL certificate mode (RequiredCA). It is up for grabs to 'guesstimate' who the actual requester of a HTTP request was. Could this functionality be added to included in one of the logging formats (We currently use the hiawatha log format) ?

Additionally, or alternatively, a configuration directive could be added to populate the 'REMOTE_USER' HTTP header with the client's certificate common name.

Ideally both the first and second request would become possible within Hiawatha of course

I'll think about the DN in the logfile.

There is no REMOTE_USER HTTP header. I guess you mean the REMOTE_USER CGI environment variable? In that case, look at the TLS_SUBJECT_DN variable. Also check out the other TLS_* variables.

Apologies, I was actually referring to the access log field that contains the user name determined by HTTP authentication, if applicable. In this scenario no CGI comes to play. Hiawatha is simply proxying requests to locally hosted endpoints. I'm looking specifically for the subject's DN / or common name to end up in the access logs as they are being offloaded to an aggregator for analysis, reporting and security compliancy purposes.

An example of described functionality (using NGINX unfortunately) can be found here: https://awmanoj.github.io/tech/2017/06/13/using-nginx-logs-to-identify-ssl-certs/

I'll think about it. No promises yet.