From 21eb768a053e03f1d31e9fe8d6a938edcd526e1f Mon Sep 17 00:00:00 2001
From: Bernhard Reiter <bernhard@intevation.de>
Date: Thu, 31 Mar 2022 12:00:13 +0200
Subject: [PATCH] Improve providers handlung of tls client certs

 * Change logging logic to print out the Issuer when a certificate
   was presented.
---
 cmd/csaf_provider/controller.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmd/csaf_provider/controller.go b/cmd/csaf_provider/controller.go
index 54be92f..3ce1005 100644
--- a/cmd/csaf_provider/controller.go
+++ b/cmd/csaf_provider/controller.go
@@ -82,7 +82,13 @@ func (c *controller) auth(
 
 		verify := os.Getenv("SSL_CLIENT_VERIFY")
 		log.Printf("SSL_CLIENT_VERIFY: %s\n", verify)
-		log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN"))
+		if verify == "SUCCESS" || strings.HasPrefix(verify, "FAILED") {
+			// potentially we want to see the Issuer when there is a problem
+			// but it is not clear if we get this far in case of "FAILED".
+			// docs (accessed 2022-03-31 when 1.20.2 was current stable):
+			// https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify
+			log.Printf("SSL_CLIENT_I_DN: %s\n", os.Getenv("SSL_CLIENT_I_DN"))
+		}
 
 		switch {
 		case verify == "SUCCESS" && (c.cfg.Issuer == nil || *c.cfg.Issuer == os.Getenv("SSL_CLIENT_I_DN")):