View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003303||mantisbt||security||public||2003-08-20 19:32||2013-03-15 09:12|
|Summary||0003303: Use X.509 certificate for authentication|
It would be nice to have the possibility to select X.509
|Tags||No tags attached.|
See http://www.cacert.org/help.php?id=9 for a PHP example of using certificates
I have created a hack to do this. Since I am going to be upgrading the version, I can make it a real authentication module, but I would like to get it added to the code base, so that I don't have to merge my changes again.
mantis-1.1.1_to_pki.zip (38,144 bytes)
I just added a file that has a patch to include PKI_Auth. Here are my notes that go with it. I would be happy to put these on the wiki, once the patch is added to the code base.
PKI User Authentication
For PKI Authentication to work there are several prerequisites:
Broken link von strushb: the new are: http://wiki.cacert.org/HELP/9
It is possible to enable identification with password or with certificate? I would thanks for any info.
With Apache, client certificates can be optional but there are (were?) some bugs with a mixed configuration.
It has been several years since I fought the issue, so not sure if Apache has resolved it or not, but there used to be a problem with large files(packets) being transferred when part of the web server is configured to take certs & part isn't.
But assuming that the Apache issues is resolved or can be worked around, I'm sure that it could be done. It is certainly not as simple as what I have done, but it could be done.
I have code changes for the latest MantisBT to support PKI, but they would have to be packaged up to add here.
I'm very interested in having this feature added to MantisBT. I'm working on a community project where we'd find this useful.
Would it be possible to see the latest patches you have for current MantisBT version attached to this issue?
I've had a quick look at the 1.1.1 version, and there's certainly some thing I might like to adjust a bit (for start adding options for mapping specific attribute of subject DN to username, or allowing full DN to be used). Mapping some subjectAltName to username could be interesting as well (like e-mail address).
The fixed password thing also look to be a little bit of a hack - any sane way to avoid that one?
As for using client authentication only on part of a website, I think the underlying problem was some security-related issue that's consequence of the TLS protocol itself (iirc)?
|2003-08-20 19:32||mmdolze||New Issue|
|2003-08-21 08:00||ritesh||Note Added: 0004551|
|2004-07-31 21:07||vboctor||Relationship added||related to 0004235|
|2004-08-07 09:28||grangeway||Status||new => acknowledged|
|2007-07-09 05:39||strushb||Note Added: 0014909|
|2008-01-22 14:55||ssimpson||Note Added: 0016761|
|2008-01-24 08:28||ssimpson||File Added: mantis-1.1.1_to_pki.zip|
|2008-01-24 08:39||ssimpson||Note Added: 0016792|
|2013-02-11 04:39||puchrojo||Note Added: 0035100|
|2013-02-12 09:31||ssimpson||Note Added: 0035106|
|2013-03-15 09:12||azaghal||Note Added: 0035876|