Extension:SSLClientAuthentication

The SSLClientAuthentication extension allows users to register their client SSL certificates with their account so that it can be used for authentication.

This is different from Extension:SSL authentication, which auto-creates users based on their SSL certificate and requires all certificates be signed by a specific CA. Users can use whatever certificate they want (unless restricted by the site administrator) and register it with their account if they want.

Installation

 * Download and extract the files in the directory called "SSLClientAuthentication" to your extensions/ folder.
 * Add the following line to the bottom of your LocalSettings.php:

require_once "$IP/extensions/SSLClientAuthentication/ClientSSLAuth.php";


 * execute the SQL commands in sslauth.sql, in order to create the required database table sslcerts in your MediaWiki installation's database
 * Done – Navigate to Special:Version of your wiki to verify that the extension is successfully installed.

Configuration parameters

 * $wgEnableClientSSL
 * Whether to enable this extension or not. Setting this to false disables SSL authentication entirely.


 * $wgClientSSLEnforceName
 * If true, it will be required that the CN on the certificate match the username of the user.


 * $wgClientSSLEnforceEmail
 * If true, it will be required that the email on the certificate match the email of the user. Note that this does not stop the user from changing their email address on the site.


 * $wgClientSSLStrictAuth
 * The default is true. In the database, uniqueness on certificate is not required. Setting this to true will automatically log out any user who attempts to use another user's certificate. Note that setting this to false does not allow two users to authenticate with the same certificate.

Server configuration
This extension depends heavily on the web server being configured properly. Your site must have HTTPS enabled and your web server must allow and verify client SSL certificates. Note that the exact configuration is site-dependent. If desired, only client certificates from certains CAs can be allowed. It is recommended that only reliable CAs be trusted.

Performance Notice: For Apache and mod_ssl, this extension requires that +StdEnvVars be put into the configuration file. This has been known to have a performance effect on all requests. This can be avoided if necessary by only turning on client SSL authentication for Special:Userlogin (or some other designated page). This will not be as secure, considering once the user goes to another page the site will be relying on cookie authentication, but it should increase performance.