From 3dbeb4e4dbbdbda13bfb473fffee38c9d40a57cd Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Wed, 1 Apr 2026 18:17:02 -0700
Subject: [PATCH] Don't trust proxy-provided SSL cert if it's flagged as not
 verified

---
 miniserv.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/miniserv.pl b/miniserv.pl
index 065805da0..a5e3f2a67 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -1721,7 +1721,8 @@ if ($header{'user-agent'} =~ /webmin/i ||
 # Check for SSL authentication
 my $trust_ssl = $config{'trust_real_ip'} && !$config{'no_trust_ssl'};
 if ($use_ssl && $verified_client ||
-    $trust_ssl && $header{'x-ssl-client-dn'}) {
+    $trust_ssl && $header{'x-ssl-client-dn'} &&
+                  $header{'x-ssl-client-verifiy'} !~ /^(failed|none)/i) {
 	if ($use_ssl && $verified_client) {
 		$peername = Net::SSLeay::X509_NAME_oneline(
 				Net::SSLeay::X509_get_subject_name(