diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index f16e6fa5e393ecf7e16fb3f2275f01e234c1f304..bf643446fba7f7da998057720f14f94fd25f0704 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -33,10 +33,7 @@ using X509Ptr = std::unique_ptr<X509, decltype(&X509_free)>;
 using VomsAc = voms;
 using MaybeVomsAc = boost::optional<VomsAc>;
 
-enum EECSubjectOrIssuer {
-  SUBJECT,
-  ISSUER
-};
+enum class EeDn { SUBJECT, ISSUER };
 
 static ngx_int_t add_variables(ngx_conf_t* cf);
 
@@ -184,7 +181,7 @@ static ngx_http_variable_t variables[] = {
         ngx_string("ssl_client_ee_s_dn"),
         NULL,
         get_ssl_client_ee_dn,
-        SUBJECT,
+        static_cast<uintptr_t>(EeDn::SUBJECT),
         NGX_HTTP_VAR_NOCACHEABLE,
         0  //
     },
@@ -192,7 +189,7 @@ static ngx_http_variable_t variables[] = {
         ngx_string("ssl_client_ee_i_dn"),
         NULL,
         get_ssl_client_ee_dn,
-        ISSUER,
+        static_cast<uintptr_t>(EeDn::ISSUER),
         NGX_HTTP_VAR_NOCACHEABLE,
         0  //
     },
@@ -221,7 +218,7 @@ static std::string to_rfc2253(X509_NAME* name)
 }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-uint32_t X509_get_extension_flags(X509* x)
+static uint32_t X509_get_extension_flags(X509* x)
 {
   return x->ex_flags;
 }
@@ -233,10 +230,9 @@ static bool is_proxy(X509* cert)
 }
 
 static ngx_int_t get_ssl_client_ee_dn(ngx_http_request_t* r,
-                                        ngx_http_variable_value_t* v,
-                                        uintptr_t data)
+                                      ngx_http_variable_value_t* v,
+                                      uintptr_t data)
 {
-
   ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
 
   v->not_found = 1;
@@ -248,7 +244,7 @@ static ngx_int_t get_ssl_client_ee_dn(ngx_http_request_t* r,
         NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
     return NGX_OK;
   }
-  
+
   X509* ee_cert = nullptr;
 
   if (sk_X509_num(chain) == 0) {
@@ -272,90 +268,28 @@ static ngx_int_t get_ssl_client_ee_dn(ngx_http_request_t* r,
     return NGX_OK;
   }
 
-  X509_NAME* dn = nullptr;
-
-  if (data == SUBJECT) {
-    dn = X509_get_subject_name(ee_cert);
-  } else {
-    dn = X509_get_issuer_name(ee_cert);
+  X509_NAME* dn;
+
+  switch (static_cast<EeDn>(data)) {
+    case EeDn::SUBJECT:
+      dn = X509_get_subject_name(ee_cert);
+      break;
+    case EeDn::ISSUER:
+      dn = X509_get_issuer_name(ee_cert);
+      break;
+    default:
+      dn = nullptr;
   }
 
   if (!dn) {
-    ngx_log_error(NGX_LOG_DEBUG,
-                  r->connection->log,
-                  0,
-                  "cannot get dn from certificate");
-    return NGX_OK;
-  }
-  std::string value = to_rfc2253(dn);
-
-  auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
-  if (!buffer) {
-    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
-    return NGX_OK;
-  }
-  ngx_memcpy(buffer, value.c_str(), value.size());
-
-  v->data = buffer;
-  v->len = value.size();
-  v->valid = 1;
-  v->not_found = 0;
-  v->no_cacheable = 0;
-  return NGX_OK;
-}
-      
-static ngx_int_t get_ssl_client_ee_s_dn(ngx_http_request_t* r,
-                                        ngx_http_variable_value_t* v,
-                                        uintptr_t data)
-{
-  ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
-
-  v->not_found = 1;
-  v->valid = 0;
-
-  auto chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
-  if (!chain) {
     ngx_log_error(
-        NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
-    return NGX_OK;
-  }
-  
-  X509* ee_cert = nullptr;
-
-  if (sk_X509_num(chain) == 0) {
-    ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
-  } else {
-    // find first non-proxy
-    for (int i = 0; i != sk_X509_num(chain); ++i) {
-      auto cert = sk_X509_value(chain, i);
-      if (cert && !is_proxy(cert)) {
-        ee_cert = cert;
-        break;
-      }
-    }
-  }
-
-  if (!ee_cert) {
-    ngx_log_error(NGX_LOG_DEBUG,
-                  r->connection->log,
-                  0,
-                  "cannot identify end-entity certificate");
-    return NGX_OK;
-  }
-
-  auto dn = X509_get_subject_name(ee_cert);
-  if (!dn) {
-    ngx_log_error(NGX_LOG_DEBUG,
-                  r->connection->log,
-                  0,
-                  "cannot get subject dn from certificate");
+        NGX_LOG_DEBUG, r->connection->log, 0, "cannot get DN from certificate");
     return NGX_OK;
   }
   std::string value = to_rfc2253(dn);
 
   auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
   if (!buffer) {
-    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
     return NGX_OK;
   }
   ngx_memcpy(buffer, value.c_str(), value.size());
@@ -389,10 +323,7 @@ static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
   ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
 
   if (!r->http_connection->ssl) {
-    ngx_log_error(NGX_LOG_ERR,
-                  r->connection->log,
-                  0,
-                  "SSL not enabled");
+    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "SSL not enabled");
     return boost::none;
   }
 
@@ -497,7 +428,6 @@ static ngx_int_t generic_getter(ngx_http_request_t* r,
 
   auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
   if (!buffer) {
-    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
     return NGX_OK;
   }
   ngx_memcpy(buffer, value.c_str(), value.size());