From 4197e6177291f60411636f08ef1c8fc2106bf577 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Fri, 11 Aug 2023 20:35:57 -0700
Subject: [PATCH] Allow use of proxied SSL client name even when in non-SSL
 mode https://github.com/webmin/webmin/issues/1962

---
 miniserv.pl | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/miniserv.pl b/miniserv.pl
index 6e1b0ed77..46b6fe93d 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -1687,12 +1687,15 @@ if ($header{'user-agent'} =~ /webmin/i ||
 	}
 
 # Check for SSL authentication
-if ($use_ssl && $verified_client) {
-	$peername = Net::SSLeay::X509_NAME_oneline(
-			Net::SSLeay::X509_get_subject_name(
-				Net::SSLeay::get_peer_certificate(
-					$ssl_con)));
-	$u = &find_user_by_cert($peername);
+if ($use_ssl && $verified_client ||
+    $config{'trust_real_ip'} && $header{'x-ssl-client-dn'}) {
+	if ($use_ssl && $verified_client) {
+		$peername = Net::SSLeay::X509_NAME_oneline(
+				Net::SSLeay::X509_get_subject_name(
+					Net::SSLeay::get_peer_certificate(
+						$ssl_con)));
+		$u = &find_user_by_cert($peername);
+		}
 	if ($config{'trust_real_ip'} && !$u && $header{'x-ssl-client-dn'}) {
 		# Use proxied client cert
 		$u = &find_user_by_cert($header{'x-ssl-client-dn'});
@@ -1701,7 +1704,7 @@ if ($use_ssl && $verified_client) {
 		$authuser = $u;
 		$validated = 2;
 		}
-	if ($use_syslog && !$validated) {
+	if ($use_syslog && !$validated && $use_ssl && $verified_client) {
 		syslog("crit", "%s",
 		       "Unknown SSL certificate $peername");
 		}