This is a follow-up to Add support for HTTPS Client Authentication.

While we now support client authentication, it would be useful to enable it only for specific paths instead of the entire site (say something like /login). This will allow sites to only request certificates from users on those specific paths, not all pages. The UX for seeing the browser pop-up on a new site without knowing what the site is about can be somewhat unsettling. Also, users may not know they need certificates for logging into the site until they've accessed it successfully at least once, and read about what's required.

This support can be added only for Apache as Nginx never supported it, and has no plans to.

CommentFileSizeAuthor
#2 hosting_https-add-client-authentication-path-support-2964764-2.patch9.18 KBcolan

Comments

colan created an issue. See original summary.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Status: Active » Needs review
StatusFileSize
new hosting_https-add-client-authentication-path-support-2964764-2.patch9.18 KB

See attached.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
commented

It seems surprising to return a formatted string here:

+/**
+ * Fetches the client authentication path.
+ */
+function hosting_https_client_authentication_path($node) {
+  if (empty($node->https_client_authentication_path)) {
+    return t('<em>(global)</em>');
+  }
+  return filter_xss($node->https_client_authentication_path);
+}

This looks weird. Are we really concatenating a field name?

-    $result = db_query("SELECT https_enabled$client_auth_column FROM {hosting_https_site} WHERE vid = :vid",
+    $result = db_query("SELECT https_enabled$client_auth_enabled_column$client_auth_path_column FROM {hosting_https_site} WHERE vid = :vid",

This looks like a typo ("CLient"):

   $lines[] = "  SSLVerifyCLient optional_no_ca";

  • colan committed 8e8f751 on 7.x-3.x 
    Issue #2964764 by colan: Added client authentication path support.
colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Status: Needs review » Fixed

It seems surprising to return a formatted string here

It's only a formatted string if there's no path set so that we can specify that the configuration is global.

This looks weird. Are we really concatenating a field name?

Agreed. I added a TODO to fix that that the next time somebody's in there. We should be doing a SELECT *, and then checking to see which fields come back.

This looks like a typo ("CLient"):

Fixed, although it looks like Apache doesn't care as it's been working like this for a while.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.