Extension:SSL authentication

SSL Authentication is an extension that automatically logs users into the wiki using their SSL certificate. It uses mod_ssl in Apache to fetch the DN from the client certificate and maps that to a MediaWiki user name. All users are automatically logged in, and all users are required to use certificates. These certificates must be vouched for by one of the certification authorities on file, specified by  option. Wiki user names are taken from the user's certificate (SSL_CLIENT_S_DN_CN), and if that user name does not already exist, it is created.

I started this work for MediaWiki version 1.5.3 and we have used it for some months. A couple of weeks ago, I discovered Extension:Shibboleth Authentication by Djcapelis and wow! That made it easy to rewrite my code as an extension and upgrade to the latest MediaWiki version.

Over time more people have been contributing, and in particular I want to say thanks to Krzysztof Kozlowski and D.J. Capelis for their help.

I still have some minor things to work out. I now use firstname + lastname (or CN in the user certificate) as the login name and uses DN for the real name, but firstname + lastname is probably not unique in a larger environment, DN should be but it's not usable as a user name in MW. Maybe an md5 hash of the DN, but that makes for an ugly user name... You probably know the best way to resolve this for your own environment.

As you can see, there are some glitches in this documentation and you are welcome to help. :-)

Clientside certificate and SSL
Generally, this refers to a certificate signed by some authority - a 'Certificate Authority' or 'CA' - known to both the server and the client. An organization may acquire its certificate from Verisign, for example, or from one of many other well-known 'trusted' authorities. The organization can then issue - and sign - certificates for use by its clients.

It is also possible for an organization to self-sign its certificates; IE, to be its own Certificate Authority.

Configure Apache
For a start, you need some prerequisites. First, you need certificates for all your users. Take a look at OpenCA or the community driven non-profit CAcert.org that issues certificates to it's community members free of charge, if you don't have certificates. Maybe windowscertificates can be used?

We use smartcards for all our users.

Then you need to configure your Apache to use SSL. This is my no-comments code for httpd.conf to setup this:

SSLEngine on SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM SSLProxyEngine off SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt SSLCACertificateFile /etc/apache2/ssl.crt/ca-dskort.crt SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/ssl_request_log  ssl_combined  Options None AllowOverride None Order allow,deny Allow from all SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN}  =~ m/.*serialNumber= $/ 

We use SSLRequire to restrict usage of our wiki to certain users, with certificates enrolled by our CA which is stored in SSLCACertificateFile. Find some unique thing or add all users DN in this list. If you have used SSL and client certificates, you know what to do.


 * See Apache Module mod_ssl documentation

LocalSettings.php
Add this to your to init the extension

SSLAuthPlugin.php (MW 1.20)
Copypaste this code to the new file

SSLAuthPlugin.php (MW 1.27 and later)
MediaWiki 1.27 releases don't have required includes/AuthPlugin.php file and this SSL Authentication doesn't work with it. AuthPlugin was replaced with AuthManager framework.


 * git removal http://phabricator.wikimedia.org/rMW3f717984c13b671cf166880d5153f0396f3107f8 change
 * last existed at http://phabricator.wikimedia.org/source/mediawiki/browse/master/includes/AuthPlugin.php rMW0f1858321c37.