Redmine SSL Auth CN Plugin¶ ↑

This redmine plugin enables authentication using SSL client certificates

Original code by Jorge Bernal: github.com/koke/redmine_ssl_auth

Usage¶ ↑

• Install the plugin

• Configure apache for SSL authentication (see Configuration)

• Visit YOURSITE/login/ssl and it will login automatically

Notes ¶ ↑

• This plugin expects the (common name) CN of the certificate to be your username, & CN must be unique

• A user with that username should exist in the database or can register

• This doesn’t check any password, so implement certificate verification in Apache

• Tested with Redmine 2.6.4, 3.3.0

• © 2016 Steve Simpson, Licensed under GLPv2

Plugin Installation¶ ↑

These are for my installation. Your mileage may vary, but should be adaptable.

cd redmine/plugins/
git clone https://github.com/SteveSimpson/redmine_ssl_auth_cn.git
chgrp -R apache redmine_ssl_auth_cn
find redmine_ssl_auth_cn -type f -print0 | xargs -0 chmod 640
find redmine_ssl_auth_cn -type d -print0 | xargs -0 chmod 750
export RAILS_ENV=production
/path/to/rake redmine:plugins:migrate
service httpd restart

Redmine’s comments: www.redmine.org/projects/redmine/wiki/Plugins

Configuration¶ ↑

Tutorial: www.vanemery.com/Linux/Apache/apache-SSL.html (I haven’t reviewed it myself. But there is a lot of good information on the web about this.)

Here are some example settings, but I suggest that you dig in a little:

SSLEngine on
SSLProtocol all 
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt

RequestHeader set X-Proxy-Forwarded-CN "%{SSL_CLIENT_S_DN_CN}s"

SSLOptions +StdEnvVars

SSLVerifyDepth 3
SSLVerifyClient required
# SSLVerifyClient optional	
#<Location /login/ssl>
#  SSLVerifyClient require
#</Location>

• By making SSLVerifyClient optional, it’s possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see the Location /login/ssl section in the apache configuration.

• If you want to force your users to use certificates, change SSLVerifyClient to require.

• The RequestHeader line is absolutely required. That is what passes the cert to Redmine. Passenger was doing some sort of caching of ENV passed by Apache, but it did not cache the headers.