================================
Enable SSL Client authentication
================================

Intro
=====
Tested with Apache 2 and mod_ssl.
Django over mod_wsgi. From http://docs.djangoproject.com/en/dev/howto/deployment/modwsgi/
"Deploying Django with Apache and mod_wsgi is the recommended way to get Django into production."

Generate Keys
=============
* Create a CA (passphrase)
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl x509 -in ca.crt -text -noout
* Server key material (challenge)
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -out server.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
openssl x509 -in server.crt -text -noout
* User Key material (challenge/password)
openssl genrsa -des3 -out c.key 1024
openssl req -new -key c.key -out c.csr
openssl x509 -req -in c.csr -out c.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
openssl pkcs12 -export -in c.crt -inkey c.key -name "Mikael Ates" -out c.p12
openssl pkcs12 -in c.p12 -clcerts -nokeys -info

Configure Apache and WSGI
=========================
Add a file django.wsgi, e.g.:
"""
import os
import sys

sys.path.append("/usr/local/lib/python2.6/site-packages/")
try:
    import lasso
except:
    print >> sys.stderr, "Unable to import Lasso."

apache_configuration= os.path.dirname(__file__)
project = os.path.dirname(apache_configuration)
sys.path.append(project)
try:
    import authentic2.settings
    os.environ['DJANGO_SETTINGS_MODULE'] = 'authentic2.settings'
except:
    print >> sys.stderr, "Unable to import settings."

import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
"""

Activate apache2 modules:
* a2enmod wsgi
* a2enmod ssl

Add a Apache vhost for SSL.
"""
<IfModule mod_ssl.c>
<VirtualHost *:443>

LimitInternalRecursion 1000
ServerAdmin webmaster@entrouvert.org
ServerName localhost

Alias /media/admin/ /usr/local/lib/python2.6/dist-packages/django/contrib/admin/media/

WSGIScriptAlias / /Donnees/devs/authentic/apache/django.wsgi

<Directory /Donnees/devs/authentic/>
SSLVerifyClient optional_no_ca
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>

SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2

SSLCertificateFile /Donnees/devs/authentic/apache/key_mat/server.crt
SSLCertificateKeyFile /Donnees/devs/authentic/apache/key_mat/server.key

SSLCertificateChainFile /Donnees/devs/authentic/apache/key_mat/ca.crt
SSLCACertificateFile /Donnees/devs/authentic/apache/key_mat/ca.crt

SSLOptions +StdEnvVars +ExportCertData

BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>
"""

Give rights to Apache on your Authentic directory.
Reload Apache.

Configure Authentic
===================
in settings.py:
Set AUTH_SSL = True
To create a user with the mail adress as identifier:
SSLAUTH_CREATE_USER = True
To use another identifier:
def myusernamegen(ssl_info):
    import re
    if(ssl_info.subject_cn):
        return return re.sub('[^a-zA-Z0-9]', '_', ssl_info.subject_cn)
    else:
        return return re.sub('[^a-zA-Z0-9]', '_', ssl_info.serial)
SSLAUTH_CREATE_USERNAME_CALLBACK = myusernamegen


