commit 89541eeec019626df4651f44b90df6a31a844dab
from: Omar Polo <op@omarpolo.com>
date: Tue Apr 13 06:59:54 2021 UTC

define TLS_VERSION, TLS_CIPHER and TLS_CIPHER_STRENGTH for CGI scripts

commit - b211d0f7d9908de446e1ab4873a3191d53ebf00b
commit + 89541eeec019626df4651f44b90df6a31a844dab
blob - 9779fbe63c4ad349fb8d92756796a6331049bf62
blob + 519a32652016348cfde31049e08ba9f274722933
--- ChangeLog
+++ ChangeLog
@@ -1,3 +1,7 @@
+2021-04-13  Omar Polo  <op@omarpolo.com>
+
+	* ex.c (launch_cgi): define TLS_VERSION, TLS_CIPHER and TLS_CIPHER_STRENGTH for CGI scripts
+
 2021-04-12  Omar Polo  <op@omarpolo.com>
 
 	* 1.6.1 tagged
blob - e08da7be14cfa7abdbfba2d3a8116e6f008be459
blob + b8590f153c10e7b6ecd113d9c1f40cec24cd2b3f
--- ex.c
+++ ex.c
@@ -184,6 +184,12 @@ launch_cgi(struct iri *iri, struct cgireq *req, struct
 		safe_setenv("REMOTE_USER", req->subject);
 		safe_setenv("TLS_CLIENT_ISSUER", req->issuer);
 		safe_setenv("TLS_CLIENT_HASH", req->hash);
+		safe_setenv("TLS_VERSION", req->version);
+		safe_setenv("TLS_CIPHER", req->cipher);
+
+		snprintf(path, sizeof(path), "%d", req->cipher_strength);
+		safe_setenv("TLS_CIPHER_STRENGTH", path);
+
 		setenv_time("TLS_CLIENT_NOT_AFTER", req->notafter);
 		setenv_time("TLS_CLIENT_NOT_BEFORE", req->notbefore);
 
blob - 63f3979581c0a72c23d9cc5cbcb0a878cae67217
blob + f4b46fd4699bf6c90c7c6c3bd784f781f9aa2d57
--- gmid.1
+++ gmid.1
@@ -358,6 +358,13 @@ unset.
 The hash of the client certificate if provided, otherwise unset.
 The format is
 .Dq ALGO:HASH .
+.It Ev TLS_VERSION
+The TLS version negotiated with the peer.
+.It Ev TLS_CIPHER
+The cipher suite negotiated with the peer.
+.It Ev TLS_CIPHER_STRENGTH
+The strength in bits for the symmetric cipher that is being used with
+the peer.
 .It Ev TLS_CLIENT_NOT_AFTER
 The time corresponding to the end of the validity period of the peer
 certificate in the ISO 8601 format
blob - 040913630bc5b85e04b377347b640d1605bd6e3b
blob + cacae398d880cb8e50d0a37d3b6fe80125bd9274
--- gmid.h
+++ gmid.h
@@ -210,6 +210,9 @@ struct cgireq {
 	char		issuer[64+1];
 
 	char		hash[128+1];
+	char		version[8];
+	char		cipher[32];
+	int		cipher_strength;
 	time_t		notbefore;
 	time_t		notafter;
 
blob - effc2f73eac85d3e2d7e7c9fa9c74ae75eae74e5
blob + 23afd9356cba4b2451e142d0163e68ee098bcd4f
--- server.c
+++ server.c
@@ -702,7 +702,12 @@ start_cgi(const char *spath, const char *relpath, stru
 		strlcpy(req.issuer, t, sizeof(req.issuer));
 	if ((t = tls_peer_cert_hash(c->ctx)) != NULL)
 		strlcpy(req.hash, t, sizeof(req.hash));
+	if ((t = tls_conn_version(c->ctx)) != NULL)
+		strlcpy(req.version, t, sizeof(req.version));
+	if ((t = tls_conn_cipher(c->ctx)) != NULL)
+		strlcpy(req.cipher, t, sizeof(req.cipher));
 
+	req.cipher_strength = tls_conn_cipher_strength(c->ctx);
 	req.notbefore = tls_peer_cert_notbefore(c->ctx);
 	req.notafter = tls_peer_cert_notafter(c->ctx);