0003303: Use X.509 certificate for authentication - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0003303	mantisbt	security	public	2003-08-20 19:32	2013-03-15 09:12

Reporter	mmdolze	Assigned To
Priority	normal	Severity	feature	Reproducibility	N/A
Status	acknowledged	Resolution	open

Summary	0003303: Use X.509 certificate for authentication
Description	It would be nice to have the possibility to select X.509 certificates for authentication. Certificate handling and checking is already done by the webserver. The certificates e.g. have to contain a "uid" subject name attribut. If this matched a record in mantis user database, the user should be logged automatically in.
Tags	No tags attached.
Attached Files	mantis-1.1.1_to_pki.zip (38,144 bytes)

ritesh 2003-08-21 08:00 reporter ~0004551	yt

strushb 2007-07-09 05:39 reporter ~0014909	See http://www.cacert.org/help.php?id=9 for a PHP example of using certificates

ssimpson 2008-01-22 14:55 reporter ~0016761	I have created a hack to do this. Since I am going to be upgrading the version, I can make it a real authentication module, but I would like to get it added to the code base, so that I don't have to merge my changes again.

ssimpson 2008-01-24 08:39 reporter ~0016792	I just added a file that has a patch to include PKI_Auth. Here are my notes that go with it. I would be happy to put these on the wiki, once the patch is added to the code base. PKI User Authentication For PKI Authentication to work there are several prerequisites: Apache must be configured to require SSL client certs for the entire application. See http://www.cacert.org/help.php?id=9 for a tutorial on how to do this. User accounts must be manually entered. A link is provided for users with acceptable PKI / x509 Certs to send an email with the required information to the administrator. The common name field is used for authentication. This should be the user's username. Common names should be unique within the accepted list of PKI domains. A password must be set in the database that is an md5 hash (or can be cleartext) of the $g_pki_password that is set in the config_inc.php file. This is not used other than to work within the existing Mantis authentication schema.

puchrojo 2013-02-11 04:39 reporter ~0035100	Broken link von strushb: the new are: http://wiki.cacert.org/HELP/9 It is possible to enable identification with password or with certificate? I would thanks for any info.

ssimpson 2013-02-12 09:31 reporter ~0035106	With Apache, client certificates can be optional but there are (were?) some bugs with a mixed configuration. It has been several years since I fought the issue, so not sure if Apache has resolved it or not, but there used to be a problem with large files(packets) being transferred when part of the web server is configured to take certs & part isn't. But assuming that the Apache issues is resolved or can be worked around, I'm sure that it could be done. It is certainly not as simple as what I have done, but it could be done. I have code changes for the latest MantisBT to support PKI, but they would have to be packaged up to add here.

azaghal 2013-03-15 09:12 reporter ~0035876	I'm very interested in having this feature added to MantisBT. I'm working on a community project where we'd find this useful. Would it be possible to see the latest patches you have for current MantisBT version attached to this issue? I've had a quick look at the 1.1.1 version, and there's certainly some thing I might like to adjust a bit (for start adding options for mapping specific attribute of subject DN to username, or allowing full DN to be used). Mapping some subjectAltName to username could be interesting as well (like e-mail address). The fixed password thing also look to be a little bit of a hack - any sane way to avoid that one? As for using client authentication only on part of a website, I think the underlying problem was some security-related issue that's consequence of the TLS protocol itself (iirc)?