add more SSL_ meta vars from the mod_ssl family

HoneyryderChuck · HoneyryderChuck · commit e88ca8ae117a · 2023-02-01T23:32:15.000Z
adding a few more variables when webrick is run in SSL, and mutual tls
is in place; in such a case, it's important to send information to the
backend whether the certificate has been verified, among others.
diff --git a/lib/webrick/https.rb b/lib/webrick/https.rb
@@ -69,7 +69,25 @@ def meta_vars
       if server_cert
         meta["HTTPS"] = "on"
         meta["SSL_SERVER_CERT"] = @server_cert.to_pem
-        meta["SSL_CLIENT_CERT"] = @client_cert ? @client_cert.to_pem : ""
+        if @client_cert
+          meta["SSL_CLIENT_M_VERSION"] = @client_cert.version
+          meta["SSL_CLIENT_M_SERIAL"] = @client_cert.serial
+          meta["SSL_CLIENT_S_DN"] = @client_cert.subject.to_s
+          meta["SSL_CLIENT_I_DN"] = @client_cert.issuer.to_s
+          meta["SSL_CLIENT_V_START"] = @client_cert.not_before.httpdate
+          meta["SSL_CLIENT_V_END"] = @client_cert.not_after.httpdate
+          meta["SSL_CLIENT_V_REMAIN"] = (@client_cert.not_after - @client_cert.not_before) / 60 / 60 / 24
+          meta["SSL_CLIENT_A_SIG"] = @client_cert.signature_algorithm
+          meta["SSL_CLIENT_A_KEY"] = @client_cert.public_key.oid
+          meta["SSL_CLIENT_CERT"] = @client_cert.to_pem
+          meta["SSL_CLIENT_VERIFY"] = if @socket.context.verify_mode == OpenSSL::SSL::VERIFY_NONE
+            "NONE"
+          elsif @socket.verify_result == OpenSSL::X509::V_OK
+            "SUCCESS"
+          else
+            "FAILED"
+          end
+        end
         if @client_cert_chain
           @client_cert_chain.each_with_index{|cert, i|
             meta["SSL_CLIENT_CERT_CHAIN_#{i}"] = cert.to_pem
