[Semanticscuttle-devel] Work on #3163623 started: SSL Client Certificates

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I started working on SSL client certificate support today, and you get
already automatically logged in when your client cert ist registered
in the sc_users_sslclientcerts table. Currently you need to manually do
that because the interface to assign them is yet to be written :)

I'm using the following SSL virtual host settings in the apache
configuration:

    SSLEngine On
    SSLCertificateFile /etc/ssl/private/bm.bogo.cweiske.de-cacert.pem
    SSLCertificateKeyFile /etc/ssl/private/bm.bogo.cweiske.de.key

    SSLCACertificateFile /etc/ssl/private/cacert-1and3.crt

    #enable client certificate login
    SSLOptions +StdEnvVars
    SSLVerifyClient optional
    SSLVerifyDepth 1

I used the CAcert CSR generator[1] to generate the key and the csr
file, used the .csr to apply for the certificate @cacert and saved the
certificate I got from them as the .pem. Then I put both their
public class1 (root) and class3 certificates into the cacert-1and3.crt
file and restarted apache.

The option "SSLVerifyClient optional" tells apache to ask for a client
certificate but not to require it, so that users can login normally if
they wish.

If a registered client certificate is provided by the browser, the user
get automatically logged in. Branch is ssl-client-certs; I hope to get
it into 0.98.0.

[1] http://wiki.cacert.org/CSRGenerator

-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-=≡ Geeking around in the name of science since 1982 ≡=-