This 17-line patch maps SSL client certificates, which could be either those
used in my pseudonymity package "nym" or traditionally issued certificates, to
IP addresses in the reserved 10.0.0.0 network. I have a live MediaWiki
installation which uses this patch with nym to allow pseudonymous editing as I
described in my proposal last week. nym-0.3, which includes the patch, can be
found here:
http://www.lunkwill.org/src/nym/
This is the code:
if ( $wgMapClientCertToIP && isset( $_SERVER['SSL_CLIENT_M_SERIAL'] )
) {
# This is a little classier, but would require
# more codebase changes and might cause subtle bugs
# $ip = 'anonuser.' . $_SERVER['SSL_CLIENT_M_SERIAL'];
# This, on the other hand, is almost guaranteed to work, but could
# cause problems for people using the 10.*.*.* private IP range
$s = $_SERVER['SSL_CLIENT_M_SERIAL'];
if ( $s >= (2 << 24) ) {
die('Client certificate ID too large(!)');
}
$o1 = ($s >> 16);
$o2 = ($s >> 8) & 255;
$o3 = $s & 255;
$ip = '10.' . $o1 .'.'. $o2 .'.'. $o3;
}
It should be placed in includes/ProxyTools.php just before the last three lines
of wfGetIP:
wfDebug( "IP: $ip\n" );
$wgIP = $ip;
return $ip;
}
(I'm using MediaWiki from CVS, ProxyTools.php RCS version 1.6.).
The following should then be added to DefaultSettings.php:
# Enable this setting if you want to use strong authentication
# based on SSL client certificates; the serial number of the certificate
# will be mapped to the last three octets of a 10.*.*.* IP address
$wgMapClientCertToIP = false;