Allow use of proxied SSL client name even when in non-SSL mode https://github.com/webmin/webmin/issues/1962

2025-07-20 16:48:46 +00:00 · 2023-08-11 20:35:57 -07:00
parent 4b59570a82
commit 4197e61772
1 changed files with 10 additions and 7 deletions
--- a/miniserv.pl
+++ b/miniserv.pl
@ -1687,12 +1687,15 @@ if ($header{'user-agent'} =~ /webmin/i ||
 	}

 # Check for SSL authentication
-if ($use_ssl && $verified_client) {
-	$peername = Net::SSLeay::X509_NAME_oneline(
-			Net::SSLeay::X509_get_subject_name(
-				Net::SSLeay::get_peer_certificate(
-					$ssl_con)));
-	$u = &find_user_by_cert($peername);
+if ($use_ssl && $verified_client ||
+    $config{'trust_real_ip'} && $header{'x-ssl-client-dn'}) {
+	if ($use_ssl && $verified_client) {
+		$peername = Net::SSLeay::X509_NAME_oneline(
+				Net::SSLeay::X509_get_subject_name(
+					Net::SSLeay::get_peer_certificate(
+						$ssl_con)));
+		$u = &find_user_by_cert($peername);
+		}
 	if ($config{'trust_real_ip'} && !$u && $header{'x-ssl-client-dn'}) {
 		# Use proxied client cert
 		$u = &find_user_by_cert($header{'x-ssl-client-dn'});
@ -1701,7 +1704,7 @@ if ($use_ssl && $verified_client) {
 		$authuser = $u;
 		$validated = 2;
 		}
-	if ($use_syslog && !$validated) {
+	if ($use_syslog && !$validated && $use_ssl && $verified_client) {
 		syslog("crit", "%s",
 		       "Unknown SSL certificate $peername");
 		}