=== modified file 'src/format/ByteCode.h'
--- src/format/ByteCode.h	2011-11-18 07:48:25 +0000
+++ src/format/ByteCode.h	2012-07-01 10:48:44 +0000
@@ -190,6 +190,14 @@
     LFT_ICAP_STATUS_CODE,
 #endif
 
+#if USE_SSL
+    LFT_TLS_CLIENT_CA,
+    LFT_TLS_CLIENT_CERT,
+
+    /* LFT_TLS_SERVER_CA, */
+    /* LFT_TLS_SERVER_CERT, */
+#endif
+
     LFT_PERCENT			/* special string cases for escaped chars */
 } ByteCode_t;
 

=== modified file 'src/format/Format.cc'
--- src/format/Format.cc	2012-01-20 18:55:04 +0000
+++ src/format/Format.cc	2012-07-01 10:47:24 +0000
@@ -1008,6 +1008,30 @@
             out = "%";
 
             break;
+
+#if USE_SSL
+        case LFT_TLS_CLIENT_CA:
+            if (al->request) {
+                ConnStateData *conn = request->clientConnectionManager.get();
+                if (conn && conn->clientConnection != NULL) {
+                    SSL *ssl = fd_table[conn->clientConnection->fd].ssl;
+                    out = sslGetCAAttribute(ssl, fmt->data.header.header);
+                    quote = 1;
+                }
+            }
+            break;
+
+        case LFT_TLS_CLIENT_CERT:
+            if (al->request) {
+                ConnStateData *conn = request->clientConnectionManager.get();
+                if (conn && conn->clientConnection != NULL) {
+                    SSL *ssl = fd_table[conn->clientConnection->fd].ssl;
+                    out = sslGetUserAttribute(ssl, fmt->data.header.header);
+                    quote = 1;
+                }
+            }
+            break;
+#endif
         }
 
         if (dooff) {

=== modified file 'src/format/Token.cc'
--- src/format/Token.cc	2012-05-12 03:21:00 +0000
+++ src/format/Token.cc	2012-07-01 10:49:27 +0000
@@ -151,6 +151,16 @@
     {NULL, LFT_NONE}		/* this must be last */
 };
 
+#if USE_SSL
+static TokenTableEntry TokenTableTlc[] = {
+    {">ca", LFT_TLS_CLIENT_CA},
+    {">cert", LFT_TLS_CLIENT_CERT},
+    /* {"<ca", LFT_TLS_SERVER_CA}, */
+    /* {"<cert", LFT_TLS_SERVER_CERT}, */
+    {NULL, LFT_NONE}           /* this must be last */
+};
+#endif
+
 #if USE_ADAPTATION
 static TokenTableEntry TokenTableAdapt[] = {
     {"all_trs", LFT_ADAPTATION_ALL_XACT_TIMES},
@@ -201,8 +211,9 @@
 #if ICAP_CLIENT
     TheConfig.registerTokens(String("icap"),::Format::TokenTableIcap);
 #endif
-
-    // TODO tokens for OpenSSL errors in "ssl::"
+#if USE_SSL
+    TheConfig.registerTokens(String("tls"),::Format::TokenTableTls);
+#endif
 }
 
 /// Scans a token table to see if the next token exists there


