Extension:SSLClientAuthentication

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
OOjs UI icon advanced.svg
SSLClientAuthentication
Release status: unmaintained
Implementation User identity, Special page
Description Allow users to register their client SSL certificate with their account and use it for authentication over HTTPS.
Author(s) Tyler Romeo (Parent5446talk)
Latest version 0.5 (2012-10-05)
MediaWiki 1.20.x - 1.26.x
PHP 5.3+
Database changes Yes
License GNU General Public License 3.0 or later
Download
Parameters
  • $wgEnableClientSSL
  • $wgClientSSLEnforceName
  • $wgClientSSLEnforceEmail
  • $wgClientSSLStrictAuth
Hooks used
GetPreferences
UserLoadFromSession
AbortLogin
LoadExtensionSchemaUpdates
Translate the SSLClientAuthentication extension if it is available at translatewiki.net
Check usage and version matrix.

The SSLClientAuthentication extension allows users to register their client SSL certificates with their account so that it can be used for authentication.

This is different from Extension:SSL authentication, which auto-creates users based on their SSL certificate and requires all certificates be signed by a specific CA. Users can use whatever certificate they want (unless restricted by the site administrator) and register it with their account if they want.

Installation[edit source]

  • Download and extract the files in the directory called "SSLClientAuthentication" to your extensions/ folder.
  • Add the following line to the bottom of your LocalSettings.php:
require_once "$IP/extensions/SSLClientAuthentication/ClientSSLAuth.php";
  • execute the SQL commands in sslauth.sql, in order to create the required database table sslcerts in your MediaWiki installation's database
  • Done – Navigate to Special:Version of your wiki to verify that the extension is successfully installed.

Configuration parameters[edit source]

$wgEnableClientSSL 
Whether to enable this extension or not. Setting this to false disables SSL authentication entirely.
$wgClientSSLEnforceName 
If true, it will be required that the CN on the certificate match the username of the user.
$wgClientSSLEnforceEmail 
If true, it will be required that the email on the certificate match the email of the user. Note that this does not stop the user from changing their email address on the site.
$wgClientSSLStrictAuth 
The default is true. In the database, uniqueness on certificate is not required. Setting this to true will automatically log out any user who attempts to use another user's certificate. Note that setting this to false does not allow two users to authenticate with the same certificate.

Server configuration[edit source]

This extension depends heavily on the web server being configured properly. Your site must have HTTPS enabled and your web server must allow and verify client SSL certificates. Note that the exact configuration is site-dependent. If desired, only client certificates from certains CAs can be allowed. It is recommended that only reliable CAs be trusted.

Performance Notice: For Apache and mod_ssl, this extension requires that +StdEnvVars be put into the configuration file. This has been known to have a performance effect on all requests. This can be avoided if necessary by only turning on client SSL authentication for Special:Userlogin (or some other designated page). This will not be as secure, considering once the user goes to another page the site will be relying on cookie authentication, but it should increase performance.

See also[edit source]