phpbb3 and ssl certificate login

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Locked
adisan82
Registered User
Posts: 2
Joined: Mon Jul 16, 2012 10:43 am

phpbb3 and ssl certificate login

Post by adisan82 » Mon Jul 16, 2012 11:42 am

Hi,

I would like to use my personal certificate to login in to phpbb3, without giving password etc.

Apache configuration:

Code: Select all

<VirtualHost *:443>

SSLEngine On
SSLVerifyClient require
SSLVerifyDepth 10
#---------------------------------------
# grid certification
SSLCACertificatePath /usr/lib/ssl/certs/
SSLCADNRequestPath /usr/lib/ssl/certs/
#------------------------------------------------
# server cert
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
#------------------------------------------------
ServerName 150.254.148.60:443
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

</VirtualHost>
Here /usr/lib/ssl/certs/ I have installed CA.

I added to /usr/share/phpBB3/includes/auth_db.php new function:
phpb3 configuration:

Code: Select all

function autologin_db()
{
        global $db, $config;
        if ($_SERVER[SSL_CLIENT_VERIFY] == "SUCCESS")
        {
                $sql = "SELECT * FROM " . phpbb_users . "
                  WHERE username = '($_SERVER[SSL_CLIENT_S_DN_CN])'";
                $result = $db->sql_query($sql);
                $row = $db->sql_fetchrow($result);
                $db->sql_freeresult($result);
                if ($row)
                {
                        return $row;
                }
        }
        return array();
}

This is how this should work, if you have certificate installed in web-broswer accepted by CA installed on server and your user name in phpbb3 database is the same as certificate CN and you use https:// you should be autho loging into pbpbb3. Right now only the last part "you should be autho loged into pbpbb3" wont work ;/ no error i log file ;/

I'm not sure where and how call function autologin_db(). Perhaps instead of adding new function I should edit "login_db" function ?

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: phpbb3 and ssl certificate login

Post by naderman » Mon Jul 16, 2012 8:44 pm

First off you should really be posting this in MOD Writers Discussion http://www.phpbb.com/community/viewforum.php?f=71 on the main forum

A few hints that might help you, else ask on the forum I linked you to:

You are not putting your strings in quotes, it should be $_SERVER["SSL_CLIENT_VERIFY"]. It's also insecure because you compare it to "SUCCESS" using ==, which means that if $_SERVER["SSL_CLIENT_VERIFY"] is 0 they are equal. You should be using === there. The constant for the table name is upper case USERS_TABLE. So you should use $sql = "SELECT * FROM " . USERS_TABLE . "

Check what the values in $_SERVER actually are when the funciton gets run by outputting them and verifying their correctness.

Locked