dovecot - Nov 2014 - SSL Client authentication with trustcenter-certificate

Dear reader,

we are using dovecot 2.2.7 and like it very much. Authentication is done
via a checkpassword program that does two things:

1) check wether the client has connected via SSL using a client certificate
2) check wether the client is using a one time password generator

Most of our users are using certificates that we have created ourself.
These certificates contain a x500uniqueidentifier.

But some users are using certificates from a german trust center and these
certificates do not contain a x500uniqueIdentifier nor something similar.

I would like to map these certificates to user accounts and my first idea
was to do so from my checkpassword programm.

But how do I find out the client-certificate from within a checkpassword
script. I tried to add an additional entry to
auth_request_var_expand_static_tab and fill in that environment variable in
auth_request_get_var_expand_table_full() (both in src/auth/auth-request.c).

But where do I find the SSL-context from which I can extract the client
certificate?

Kind regards

Peter Koch