client certificate authentication support for roundcube

[dan]

As i've got too many passwords I've created the following patch that allows the use of client side certificates to authenticate to roundcube.

The verification of the certificates is performed by the webserver (only apache, lighttpd doesn't support it). The attached patch uses the SSL variables in the environment and maps those to a IMAP username.

As certificates don't pass a password there is a configuration for a global password that needs to be included in the imap authentication.

The attached patches include a fix for 1485207 as I've refactored the code that the patches there apply to. As the email address in the certificate is authoritative as an identity, poor regex matching will allow access to unintended persons.

If accepted I'm happy to write about the Apache configuration and IMAP server setup on the wiki.

[dan]

adds client certificate support as a roundcube authentication mechanism

[dan]

client certificate support patch against svn

[dan]

bugs with patch: 1. logout doesn't work as it autologs in.

the patch against rcmail.php:decrypt_passwd is probably redundant.

I'm not sure if this is giving the user the master password, even in an encrypted from.

I'm happy to test any changes you suggest.

[dan]

latest patch:
1. corrects logout. logout will work now without relogging in.
2. verified that rcmail.php:decrypt_passwd was redundant therefore no changes there
3. added certificate information to email headers when sent.

[dan]

small fix to correct logout

[dan]

roundcubemail-0.2beta2-certificate-login.patch

[dan]

roundcubemail-svn-2212-certificate-login.patch

[dan]

0.2beta2 is in operational here https://community.cacert.org/roundcubemail :-)

roundcubemail-svn-2212 isn't working yet. It keeps refreshing on the login page.

The apache configuration to get this going is setting the SSLCACertificatePath to the certificates you are going to allow.SSLCADNRequestPath is the certificates that the server will request (optionally) off the client.

        SSLCADNRequestPath /usr/share/ca-certificates/cacert.org/
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!IDEA:!RC2:!RC4:@STRENGTH

        <Location /roundcubemail>
                SSLVerifyClient optional
                SSLVerifyDepth 3
                SSLCACertificatePath /usr/share/ca-certificates/cacert.org/
                SSLOptions +StdEnvVars
        </Location>

[dan]

Sample received header that it adds

Received: from ppp59-167-44-162.lns2.cbr1.internode.on.net [59.167.44.162]
	with certificate (/CN=Daniel
	Black/emailAddress=daniel@cacert.org,serial=5921),issuer=(/O=CAcert
	Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root)
	with HTTP/1.1 (POST); Sun, 04 Jan 2009 12:00:31 +0000

[dan]

0.2-stable patch working and deployed in production