Extension:SSL authentication

SSL Authentication is an extension that autologon users with their SSL certificate. It uses mod_ssl in Apache to fetch DN from client certificate and map that to my MediaWiki name. All users will autologon and all users are required to use certificates.

I started this work for Mediwiki version 1.5.3 and we have used it for some months. A couple of weeks ago, I discovered Shibboleth Authentication by Djcapelis and wow! That made it easy to rewrite my code to an extension and upgrade to the latest Mediawiki version.

Over time, more people have been working and I want to say thanks to Krzysztof Kozlowski and D.J. Capelis for their help.

I still have some minor things to work out. I now use firstname + lastname (or CN in user certificate) to make loginname and uses DN for real name, byt firstname lastname is probably not unique in a larger environment, DN os but it's not uasble as username in MW. Maybe an md5 hash of DN, but then, it's ugly as a username... I think you know the best way to solve this in your own environment.

As you can see, there is some glitches in this documentation and you are welcome to help. :-)

Clientside certificate and SSL
describe what clientside certificate and SSL is

Configure Apache
For a start, you need some prerequisites. First, you need certificates for all your users. Take a look at OpenCA or the swedish PrimeKey Solutions if you don't have certificates. Maybe windowscertificates can be used?

We use smartcard for all our users.

Then you need to configure your Apache to use SSL. This is my no-comments code for httpd.conf to setup this:

SSLEngine on SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM SSLProxyEngine off SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt SSLCACertificateFile /etc/apache2/ssl.crt/ca-dskort.crt SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/ssl_request_log  ssl_combined  Options None AllowOverride None Order allow,deny Allow from all SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN}  =~ m/.*serialNumber= $/ 

We use SSLRequire to restrict usage of our wiki to just some users, with certificates enrolled by our CA. Find some unique thing or add all users DN in this list. If you have used SSL and client certificates, you know what to do.

LocalSettings.php
Add this to your LocalSettings.php to init the extension

require_once('extensions/SSLAuthPlugin.php');
 * 1) Load SSLAuthPlugin

$ssl_map_info = true;
 * 1) Feel free to use extra PHP code to munge the variables if you'd like
 * 2) Additionally if you wish to only map some of the name data, set this to true
 * 3) and either blank ssl_RN and ssl_email or comment them out entirely.


 * 1) Ssssh.... quiet down errors
 * 2) $olderror = error_reporting(E_ALL ^ E_NOTICE);

$ssl_RN = $_SERVER['SSL_CLIENT_S_DN'];
 * 1) Map Real Name from certificate
 * 2) Can be DN but is it right?


 * 1) MW username is required to map to something
 * 2) You should beware of possible namespace collisions, it is best to chose
 * 3) something that will not violate MW's usual restrictions on characters


 * 1) Just using Firstname + Lastname (CN) from Certificate 'will' make collisions... but what to use?
 * 2) UN could be md5-hash of DN, but its ugly to use...

$ssl_UN = $_SERVER['SSL_CLIENT_S_DN_CN'];

if ($_SERVER['SSL_CLIENT_S_DN_Email'] != '') $ssl_email = $_SERVER['SSL_CLIENT_S_DN_Email']; else $ssl_email = strtolower($firstname . '.' . $lastname . '@ds.se');
 * 1) Map e-mail to something close?


 * 1) Turn error reporting back on
 * 2) error_reporting($olderror);

SSLAuthSetup;
 * 1) Activate SSL Plugin

SSLAuthPlugin.php
Copypaste this code to the new file