This 17-line patch maps SSL client certificates, which could be either those used in my pseudonymity package "nym" or traditionally issued certificates, to IP addresses in the reserved 10.0.0.0 network. I have a live MediaWiki installation which uses this patch with nym to allow pseudonymous editing as I described in my proposal last week. nym-0.3, which includes the patch, can be found here:
http://www.lunkwill.org/src/nym/
This is the code:
if ( $wgMapClientCertToIP && isset( $_SERVER['SSL_CLIENT_M_SERIAL'] ) ) { # This is a little classier, but would require # more codebase changes and might cause subtle bugs # $ip = 'anonuser.' . $_SERVER['SSL_CLIENT_M_SERIAL'];
# This, on the other hand, is almost guaranteed to work, but could # cause problems for people using the 10.*.*.* private IP range $s = $_SERVER['SSL_CLIENT_M_SERIAL'];
if ( $s >= (2 << 24) ) { die('Client certificate ID too large(!)'); } $o1 = ($s >> 16); $o2 = ($s >> 8) & 255; $o3 = $s & 255; $ip = '10.' . $o1 .'.'. $o2 .'.'. $o3; }
It should be placed in includes/ProxyTools.php just before the last three lines of wfGetIP:
wfDebug( "IP: $ip\n" ); $wgIP = $ip; return $ip; }
(I'm using MediaWiki from CVS, ProxyTools.php RCS version 1.6.).
The following should then be added to DefaultSettings.php:
# Enable this setting if you want to use strong authentication # based on SSL client certificates; the serial number of the certificate # will be mapped to the last three octets of a 10.*.*.* IP address $wgMapClientCertToIP = false;