Extension:SSLClientAuthentication

MediaWiki extensions manual
SSLClientAuthentication
Release status: unmaintained
Implementation User identity , Special page
Description Allow users to register their client SSL certificate with their account and use it for authentication over HTTPS
Author(s) Tyler Romeo (Parent5446talk)
Latest version 0.5 (2012-10-05)
MediaWiki 1.20.x - 1.26.x
PHP 5.3+
Database changes Yes
License GNU General Public License 3.0 or later
Download
  • $wgEnableClientSSL
  • $wgClientSSLEnforceName
  • $wgClientSSLEnforceEmail
  • $wgClientSSLStrictAuth
Quarterly downloads 9 (Ranked 169th)
Translate the SSLClientAuthentication extension if it is available at translatewiki.net

The SSLClientAuthentication extension allows users to register their client SSL certificates with their account so that it can be used for authentication. Users can use whatever certificate they want (unless restricted by the site administrator) and register it with their account if they want.

InstallationEdit

  • Download and place the file(s) in a directory called SSLClientAuthentication in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php :
    require_once "$IP/extensions/SSLClientAuthentication/SSLClientAuthentication.php";
    
  • Run the update script which will automatically create the necessary database tables that this extension needs.
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Configuration parametersEdit

$wgEnableClientSSL
Whether to enable this extension or not. Setting this to false disables SSL authentication entirely.
$wgClientSSLEnforceName
If true, it will be required that the CN on the certificate match the username of the user.
$wgClientSSLEnforceEmail
If true, it will be required that the email on the certificate match the email of the user. Note that this does not stop the user from changing their email address on the site.
$wgClientSSLStrictAuth
The default is true. In the database, uniqueness on certificate is not required. Setting this to true will automatically log out any user who attempts to use another user's certificate. Note that setting this to false does not allow two users to authenticate with the same certificate.

Server configurationEdit

This extension depends heavily on the web server being configured properly. Your site must have HTTPS enabled and your web server must allow and verify client SSL certificates. Note that the exact configuration is site-dependent. If desired, only client certificates from certains CAs can be allowed. It is recommended that only reliable CAs be trusted.

Performance Notice: For Apache and mod_ssl, this extension requires that +StdEnvVars be put into the configuration file. This has been known to have a performance effect on all requests. This can be avoided if necessary by only turning on client SSL authentication for Special:Userlogin (or some other designated page). This will not be as secure, considering once the user goes to another page the site will be relying on cookie authentication, but it should increase performance.