SSL Authentication


This plugin allows authentication of users by making use of SSL client certificates.

Bugs/Feature Requests

Existing bugs and feature requests for SslAuthenticationPlugin are here.

If you have any issues, create a new ticket.


1 / 1


Download the zipped source from here.


Check out using Subversion, or browse the source with Trac.


For Trac 0.10 only, a patch is required to be applied against Trac in order to get this working. This patch is against 0.10.4-2, the -2 represents a Debian package revision:

  • trac/web/

    diff -Nur /usr/share/python-support/trac/trac/web/ /var/lib/python-support/python2.4/trac/web/
    old new  
    180180            if not getattr(chosen_handler, 'anonymous_request', False):
    181181                try:
    182182                    req.authname = self.authenticate(req)
    183                     req.perm = PermissionCache(self.env, req.authname)
     183                    try:
     184                        req.perm = PermissionCache(self.env, req.perm_user)
     185                    except AttributeError:
     186                        req.perm = PermissionCache(self.env, req.authname)
    184187                    req.session = Session(self.env, req)
    185188                    req.form_token = self._get_form_token(req)
    186189                except:

When this patch is applied, you can use a virtual host config section similar to this (assuming you're using Apache):

<VirtualHost *:443>

    Alias /chrome/common /usr/share/trac/htdocs

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/trac.example.org_publickey.pem
    SSLCertificateKeyFile /etc/apache2/ssl/trac.example.org_privatekey.pem
    # I use CACert's root certificate, you can get it from here:
    SSLCACertificateFile /etc/apache2/ssl/CACert_class_1_and_3.pem

    SSLVerifyClient none
    SSLOptions -StrictRequire

    <Directory "/usr/share/trac/htdocs">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all

    <Location "/test">
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnv /var/trac/test
        PythonOption TracUriRoot /personal/

        # Authentication
        # Require SSL connection to access this location

        # Requires client verification, and verifies up to 2 intermediary CAs
        SSLVerifyClient optional
        SSLVerifyDepth 2

        # Creates additional environment variables including client certificate data
        SSLOptions +StdEnvVars
        # Requires the above SSLRequireSSL directive to be succesfull as well as
        # the SSLRequire directive below, if it isn't succesfull Apache will
        # refuse access to this page.
        SSLOptions +StrictRequire

        # Requires, that the client's CN and e-mail in the certificates equals one of the below
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

    # Lets still allow basic HTTP authentication
    <Location "/test/login">
        AuthType Basic
        AuthName "Test Trac"
        AuthUserFile /etc/apache2/passwd/
        Require valid-user

    CustomLog /var/log/apache2/ combined
    ErrorLog /var/log/apache2/

If the plugin is installed and enabled, and the patch is applied, you will be able to automatically log in with the email address in your browser's client certificate.

You can create yourself a client certificate at CACert.

Recent Changes

6136 by giel on 2009-07-01 09:51:58

Use exception handling instead of an 'if' check to check for perm_user (e-mail address from SSL certificate):

  • This fixes a bug where non-SSL-cert authentication (but not anonymous) caused an exception (AttributeError) while trying to access req.perm_user while it didn't exist
6135 by giel on 2009-06-30 21:44:38

Implement a version of the plugin that works with Trac 0.11

  • This version doesn't require patching of Trac's sources
    • Works through changing code at runtime (replacing a single routine of Trac)
6134 by giel on 2009-06-30 21:41:10
Make the script executable


Author: giel
Maintainer: Giel van Schijndel

Last modified 7 years ago Last modified on Nov 9, 2015, 3:06:16 PM