Add support for automatic client authentication via TLS certificate fields

src/config.c

@@ -3361,6 +3361,7 @@ standardConfig static_configs[] = {
     createBoolConfig("tls-prefer-server-ciphers", NULL, MODIFIABLE_CONFIG, server.tls_ctx_config.prefer_server_ciphers, 0, NULL, applyTlsCfg),
     createBoolConfig("tls-session-caching", NULL, MODIFIABLE_CONFIG, server.tls_ctx_config.session_caching, 1, NULL, applyTlsCfg),
     createStringConfig("tls-cert-file", NULL, VOLATILE_CONFIG | MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.cert_file, NULL, NULL, applyTlsCfg),
+    createStringConfig("tls-auth-clients-field", NULL, VOLATILE_CONFIG | MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.client_auth_field, NULL, NULL, applyTlsCfg),
     createStringConfig("tls-key-file", NULL, VOLATILE_CONFIG | MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.key_file, NULL, NULL, applyTlsCfg),
     createStringConfig("tls-key-file-pass", NULL, MODIFIABLE_CONFIG | SENSITIVE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.key_file_pass, NULL, NULL, applyTlsCfg),
     createStringConfig("tls-client-cert-file", NULL, VOLATILE_CONFIG | MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.client_cert_file, NULL, NULL, applyTlsCfg),

src/connection.h

@@ -138,6 +138,7 @@ struct connection {
     ConnectionCallbackFunc conn_handler;
     ConnectionCallbackFunc write_handler;
     ConnectionCallbackFunc read_handler;
+    sds cert_user;
 };
 
 #define CONFIG_BINDADDR_MAX 16

src/server.h

@@ -1475,6 +1475,7 @@ typedef struct serverTLSContextConfig {
     char *client_cert_file;     /* Certificate to use as a client; if none, use cert_file */
     char *client_key_file;      /* Private key filename for client_cert_file */
     char *client_key_file_pass; /* Optional password for client_key_file */
+    char *client_auth_field;    /* Field to be used for Authomatic TLS Authenticaton */
     char *dh_params_file;
     char *ca_cert_file;
     char *ca_cert_dir;

src/tls.c

@@ -38,6 +38,7 @@
 
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
+#include <openssl/x509.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/pem.h>
@@ -677,12 +678,69 @@ static void updateSSLState(connection *conn_) {
     updatePendingData(conn);
 }
 
+static int getCertFieldByName(X509 *cert, const char *field, char *out, size_t outlen) {
+    if (!cert || !field || !out) return 0;
+
+    int nid = -1;
+
+    if (!strcasecmp(field, "CN"))
+        nid = NID_commonName;
+    else if (!strcasecmp(field, "O"))
+        nid = NID_organizationName;
+    // Add more mappings here as needed
+
+    if (nid == -1) return 0;
+
+    X509_NAME *subject = X509_get_subject_name(cert);
+    if (!subject) return 0;
+
+    return X509_NAME_get_text_by_NID(subject, nid, out, outlen) > 0;
+}
+
+static void autoAuthenticateClientFromCert(tls_connection *conn) {
+    if (!conn || !SSL_is_init_finished(conn->ssl)) return;
+
+    const char *field = server.tls_ctx_config.client_auth_field;
+    if (!field) return;
+
+    serverLog(LL_NOTICE, "TLS: Config Auto Auth Field = %s", field);
+
+    X509 *cert = SSL_get_peer_certificate(conn->ssl);
+    if (!cert) {
+        serverLog(LL_WARNING, "TLS: No peer certificate found after handshake");
+        return;
+    }
+
+    char field_value[256];
+    if (!getCertFieldByName(cert, field, field_value, sizeof(field_value))) {
+        serverLog(LL_WARNING, "TLS: Failed to extract field %s from certificate", field);
+        X509_free(cert);
+        return;
+    }
+
+    serverLog(LL_NOTICE, "TLS: Config Auto Auth %s = %s", field, field_value);
+    conn->c.cert_user = sdsnew(field_value);
+    X509_free(cert);
+
+    client *c = connGetPrivateData(&conn->c);
+    if (!c) return;
+
+    user *u = ACLGetUserByName(conn->c.cert_user, sdslen(conn->c.cert_user));
+    serverLog(LL_NOTICE, "TLS: ACL lookup user: %s", u ? u->name : "NOT FOUND");
+    if (u) {
+        c->user = u;
+        c->flag.authenticated = true;
+        serverLog(LL_NOTICE, "TLS: Auto-authenticated client as %s", u->name);
+    }
+}
+
 static void TLSAccept(void *_conn) {
     tls_connection *conn = (tls_connection *)_conn;
     ERR_clear_error();
     int ret = SSL_accept(conn->ssl);
     if (ret > 0) {
         conn->flags |= TLS_CONN_FLAG_ACCEPT_SUCCESS;
+        autoAuthenticateClientFromCert(conn);
     } else if (handleSSLReturnCode(conn, ret)) {
         conn->flags |= TLS_CONN_FLAG_ACCEPT_ERROR;
     }

tests/unit/tls.tcl

@@ -154,5 +154,35 @@ start_server {tags {"tls"}} {
             r config set tls-key-file-pass 1234
             r config set tls-key-file $keyfile_encrypted
         }
+
+        test {TLS: Auto-authenticate using tls-auth-clients-field (CN)} {
+            # Ensure the user exists
+            r ACL SETUSER client on >clientpass allcommands allkeys
+
+            # Ensure feature is off by default
+            r CONFIG SET tls-auth-clients-field ""
+
+            # Client should not be authenticated automatically
+            set s [valkey [srv 0 host] [srv 0 port] 0 1]
+            ::tls::import [$s channel]
+            $s AUTH client clientpass
+            assert_match {OK} [$s PING]
+            $s close
+
+            # Enable feature
+            r CONFIG SET tls-auth-clients-field CN
+
+            # With correct client cert having CN=client and an ACL user named 'client'
+            set s [valkey [srv 0 host] [srv 0 port] 0 1]
+            ::tls::import [$s channel]
+
+            # Now no explicit AUTH is required
+            assert_equal "PONG" [$s PING]
+            $s close
+
+            # Reset config
+            r CONFIG SET tls-auth-clients-field ""
+        }
+
     }
 }