Posts Tagged ‘x509 based logins’

 

Query to see if Certificate Exists via  x509 based logins

<?php
include(__DIR__."/auth_mysql.php");
 
/**
 * Mysql based authentication
 * The standard username/password based authentication library
 *
 * @package CMS
 * @author Sid Karunaratne
 **/
class auth_x509 extends auth_mysql
{
	public function pre_login()
	{
		foreach($_SERVER as $key => $value)
		{
			if (!$value || strncmp($key, 'SSL_CLIENT_S_DN_Email', 21) !== 0)
				continue;
			$user = $this->_check_email_is_valid($value);
			if ($user)
				return $user;
		}
		return false;
	}
 
	protected function _check_email_is_valid($email)
	{
		$user = $this->db->select("
					u.id,
					u.name,
					GROUP_CONCAT(g.id SEPARATOR ',') as team_ids,
					u.username as email,
					GROUP_CONCAT(g.name SEPARATOR ', ') as teams,
					permission_last_set
				")
			->from("_auth_user u")
			->join("_auth_user_group_xrefs aux", "aux.user_id = u.id")
			->join("_auth_group g", "g.id = aux.group_id")
			->where("u.username", $email)
			->group_by("u.id")
			->get()->result();
		if (!$user)
			return false;
 
 
		// The user is valid
		$user = array_shift($user);		
		$user = $this->_finalise_user_login($user);
		return $user;
	}
 
	public function login($credentials)
	{
		return false;
	}
}
// END class auth_x509

 

 

httpd-ssl.conf

Listen 443
 
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
 
<VirtualHost *:443>
DocumentRoot "/srv/http/"
ServerName website.domain.com:443
ServerAdmin email@address.com
ErrorLog /var/log/httpd/ssl.error.log
TransferLog /var/log/httpd/ssl.access.log
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
 
SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLProxyEngine off
# The certificate CACert signed
SSLCertificateFile /etc/httpd/conf/ssl/dev.zealothost.net.crt
# The private key
SSLCertificateKeyFile /etc/httpd/conf/ssl/dev.zealothost.net.key
# CACert's certificate - Seems to not be required
SSLCertificateChainFile /etc/httpd/conf/ssl/ca.crt
# CACert's certificate - The CA I require certificates to be signed with
SSLCACertificateFile /etc/httpd/conf/ssl/ca-dskort.crt
SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData
 
SSLVerifyClient require
SSLVerifyDepth 1
</VirtualHost>

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)