Securing Apache to use Certificate Authentication auth_x509

Query to see if Certificate Exists via  x509 based logins

<?php
include(__DIR__."/auth_mysql.php");

/**
 * Mysql based authentication
 * The standard username/password based authentication library
 *
 * @package CMS
 * @author Sid Karunaratne
 **/
class auth_x509 extends auth_mysql
{
	public function pre_login()
	{
		foreach($_SERVER as $key => $value)
		{
			if (!$value || strncmp($key, ’SSL_CLIENT_S_DN_Email’, 21) !== 0)
				continue;
			$user = $this->_check_email_is_valid($value);
			if ($user)
				return $user;
		}
		return false;
	}
	
	protected function _check_email_is_valid($email)
	{
		$user = $this->db->select("
					u.id,
					u.name,
					GROUP_CONCAT(g.id SEPARATOR ’,’) as team_ids,
					u.username as email,
					GROUP_CONCAT(g.name SEPARATOR ’, ?) as teams,
					permission_last_set
				")
			->from("_auth_user u")
			->join("_auth_user_group_xrefs aux", "aux.user_id = u.id")
			->join("_auth_group g", "g.id = aux.group_id")
			->where("u.username", $email)
			->group_by("u.id")
			->get()->result();
		if (!$user)
			return false;
		
		
		// The user is valid
		$user = array_shift($user);		
		$user = $this->_finalise_user_login($user);
		return $user;
	}
	
	public function login($credentials)
	{
		return false;
	}
}
// END class auth_x509

httpd-ssl.conf

apacheconf” manual=”Listen 443

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

<VirtualHost *:443>
DocumentRoot "/srv/http/"
ServerName website.domain.com:443
ServerAdmin [email protected]
ErrorLog /var/log/httpd/ssl.error.log
TransferLog /var/log/httpd/ssl.access.log
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLProxyEngine off
# The certificate CACert signed
SSLCertificateFile /etc/httpd/conf/ssl/dev.zealothost.net.crt
# The private key
SSLCertificateKeyFile /etc/httpd/conf/ssl/dev.zealothost.net.key
# CACert’s certificate - Seems to not be required
SSLCertificateChainFile /etc/httpd/conf/ssl/ca.crt
# CACert’s certificate - The CA I require certificates to be signed with
SSLCACertificateFile /etc/httpd/conf/ssl/ca-dskort.crt
SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData

SSLVerifyClient require
SSLVerifyDepth 1
</VirtualHost>
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely