Securing Apache to use Certificate Authentication auth_x509

Query to see if Certificate Exists via  x509 based logins

<?php
include(__DIR__."/auth_mysql.php");

/**
* Mysql based authentication
* The standard username/password based authentication library
*
* @package CMS
* @author Sid Karunaratne
**/
class auth_x509 extends auth_mysql
{
public function pre_login()
{
foreach($_SERVER as $key => $value)
{
if (!$value || strncmp($key, ’SSL_CLIENT_S_DN_Email’, 21) !== 0)
continue;
$user = $this->_check_email_is_valid($value);
if ($user)
return $user;
}
return false;
}

protected function _check_email_is_valid($email)
{
$user = $this->db->select("
u.id,
u.name,
GROUP_CONCAT(g.id SEPARATOR ’,’) as team_ids,
u.username as email,
GROUP_CONCAT(g.name SEPARATOR ’, ?) as teams,
permission_last_set
")
->from("_auth_user u")
->join("_auth_user_group_xrefs aux", "aux.user_id = u.id")
->join("_auth_group g", "g.id = aux.group_id")
->where("u.username", $email)
->group_by("u.id")
->get()->result();
if (!$user)
return false;


// The user is valid
$user = array_shift($user);
$user = $this->_finalise_user_login($user);
return $user;
}

public function login($credentials)
{
return false;
}
}
// END class auth_x509

httpd-ssl.conf

apacheconf” manual=”Listen 443

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

<VirtualHost *:443>
DocumentRoot "/srv/http/"
ServerName website.domain.com:443
ServerAdmin [email protected]
ErrorLog /var/log/httpd/ssl.error.log
TransferLog /var/log/httpd/ssl.access.log
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLProxyEngine off
# The certificate CACert signed
SSLCertificateFile /etc/httpd/conf/ssl/dev.zealothost.net.crt
# The private key
SSLCertificateKeyFile /etc/httpd/conf/ssl/dev.zealothost.net.key
# CACert’s certificate - Seems to not be required
SSLCertificateChainFile /etc/httpd/conf/ssl/ca.crt
# CACert’s certificate - The CA I require certificates to be signed with
SSLCACertificateFile /etc/httpd/conf/ssl/ca-dskort.crt
SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData

SSLVerifyClient require
SSLVerifyDepth 1
</VirtualHost>
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...