Extension:SSLClientAuthentication
This extension is incompatible with MediaWiki 1.27 or any later release! You are advised against using this extension on a live site. Volunteer developers are invited to pledge their efforts to updating this extension to make it compatible with MediaWiki 1.39 by replacing the {{Incompatible}} template with {{Incompatible|version=1.27|pledge=~~~~}}. |
This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored. If you are interested in taking on the task of developing and maintaining this extension, you can request repository ownership. As a courtesy, you may want to contact the author. You should also remove this template and list yourself as maintaining the extension in the page's {{extension}} infobox. |
 Release status: unmaintained |
|
|---|---|
| Implementation | User identity, Special page |
| Description | Allow users to register their client SSL certificate with their account and use it for authentication over HTTPS |
| Author(s) | Tyler Romeo (Parent5446talk) |
| Latest version | 0.5 (2012-10-05) |
| MediaWiki | 1.20.x - 1.26.x |
| PHP | 5.3+ |
| Database changes | Yes |
| License | GNU General Public License 3.0 or later |
| Download | |
|
|
| Quarterly downloads | 9 (Ranked 169th) |
| Translate the SSLClientAuthentication extension if it is available at translatewiki.net | |
The SSLClientAuthentication extension allows users to register their client SSL certificates with their account so that it can be used for authentication. Users can use whatever certificate they want (unless restricted by the site administrator) and register it with their account if they want.
InstallationEdit
- Download and place the file(s) in a directory called
SSLClientAuthenticationin yourextensions/folder. - Add the following code at the bottom of your
LocalSettings.php:require_once "$IP/extensions/SSLClientAuthentication/SSLClientAuthentication.php";
- Run the update script which will automatically create the necessary database tables that this extension needs.
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Configuration parametersEdit
- $wgEnableClientSSL
- Whether to enable this extension or not. Setting this to false disables SSL authentication entirely.
- $wgClientSSLEnforceName
- If true, it will be required that the CN on the certificate match the username of the user.
- $wgClientSSLEnforceEmail
- If true, it will be required that the email on the certificate match the email of the user. Note that this does not stop the user from changing their email address on the site.
- $wgClientSSLStrictAuth
- The default is true. In the database, uniqueness on certificate is not required. Setting this to true will automatically log out any user who attempts to use another user's certificate. Note that setting this to false does not allow two users to authenticate with the same certificate.
Server configurationEdit
This extension depends heavily on the web server being configured properly. Your site must have HTTPS enabled and your web server must allow and verify client SSL certificates. Note that the exact configuration is site-dependent. If desired, only client certificates from certains CAs can be allowed. It is recommended that only reliable CAs be trusted.
Performance Notice: For Apache and mod_ssl, this extension requires that +StdEnvVars be put into the configuration file. This has been known to have a performance effect on all requests. This can be avoided if necessary by only turning on client SSL authentication for Special:Userlogin (or some other designated page). This will not be as secure, considering once the user goes to another page the site will be relying on cookie authentication, but it should increase performance.