<div dir="ltr">Hi,<div><br></div><div>thanks, but that's not what I thought of. Authorization via client certificate DOES already work if used from a web browser.</div><div><br></div><div>What I'd like to have is the owncloud client (windows or linux gui) to use a client certificate to authenticate to a server which allows connection only by a client certificate.</div>
<div>This doesn't work yet unfortunately.</div></div><div class="gmail_extra"><br clear="all"><div>-- <br>Dr. Johannes Zellner <<a href="mailto:johannes@zellner.org">johannes@zellner.org</a>></div>
<br><br><div class="gmail_quote">2013/10/31 Mario Klug <span dir="ltr"><<a href="mailto:mario@klug.me" target="_blank">mario@klug.me</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div>
<p><br>Sorry, this was a mistake.</p><p>You'd have to check if $_SERVER['SSL_CLIENT_VERIFY'] says "SUCCESS". If no certificate is available it's also there but the value is "NONE".</p>
<p>Regards<br>Mario<br></p><blockquote style="border-left:2px solid #325fba;padding-left:5px;margin-left:5px;margin-right:0px">-----Ursprüngliche Nachricht-----<br><strong>Von:</strong> Mario Klug <<a href="mailto:mario@klug.me" target="_blank">mario@klug.me</a>><br>
<strong>Gesendet:</strong> Don 31 Oktober 2013 08:05<br><strong>An:</strong> <a href="mailto:owncloud@kde.org" target="_blank">owncloud@kde.org</a><br><strong>Betreff:</strong> AW: [Owncloud] oc with ssl client certificate<div>
<div class="h5"><br><br>
<div>
<p>Hi Johannes,<br>I haven't tried it by myself but theoratically when using a client certificate the apache webserver adds <code>SSL_SERVER_I_DN_CN</code><code> and SSL_SERVER_I_DN_Email to the $_SERVER array.<br></code></p>
<p>This makes it very easy to add a check if a certificate is available in index.php.</p><p>if(!isset($_SERVER['SSL_SERVER_I_DN_CN'])) {</p><p> die('You must provide a valid client certificate!');<br>}</p>
<p>When anybody opens your owncloud without a certificate he will receive a blank page which tells "You must provide a valid client certificate".<br>If the browser send this certificate the login should appear as usual.</p>
<p>Hope this helps as workaround.</p><p>Regards<br>Mario<br></p><blockquote style="border-left:2px solid #325fba;padding-left:5px;margin-left:5px;margin-right:0px">-----Ursprüngliche Nachricht-----<br><strong>Von:</strong> Dr. Johannes Zellner <<a href="mailto:johannes@zellner.org" target="_blank">johannes@zellner.org</a>><br>
<strong>Gesendet:</strong> Mit 30 Oktober 2013 22:49<br><strong>An:</strong> <a href="mailto:owncloud@kde.org" target="_blank">owncloud@kde.org</a><br><strong>Betreff:</strong> Re: [Owncloud] oc with ssl client certificate<br>
<br>
<div dir="ltr">Hi,<div><br></div><div>thanks.</div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px"><i>The interesting question from my (the client) perspective is: (how) did you make it work on the server?</i></span><br>
</div><div><span style="font-family:arial,sans-serif;font-size:13px"><i><br></i></span></div><div>It's as simple as having the client certificate to grant (and be required) to access the web server.</div><div>Afterwards I've to log into owncloud as usual.</div>
<div><br></div><div>So this is a two stage login process, which...</div><div><br></div><div>1. ...prevents anybody who doesn't have a valid client certificat to even see the login page</div><div>2. ...still allows to log into owncloud under different accounts, e.g. an admin and a user account (if you have the certificate)</div>
<div><br></div><div>This is perfectly what I like and what works inside a web browser.</div><div>In fact I wouldn't like the certificate to be linked to an owncloud account as it wouldn't allow me to log in under different accounts any more.</div>
<div>I believe that this is a very common scenario that someone wishes to double-protect a private owncloud server.</div><div><br></div><div>so it would be nice to have client authentication working with the owncloud clients.</div>
<div><br></div><div>regards,</div><div class="gmail_extra"><br clear="all"><div>-- <br>Johannes</div>
<br><br><div class="gmail_quote">2013/10/30 Daniel Molkentin <span dir="ltr"><<a href="mailto:danimo@owncloud.com" title="Der externe Link wird in einem neuen Fenster geöffnet" target="_blank">danimo@owncloud.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">Hi Johannes,<div><br><div><div>Am 30.10.2013 um 17:03 schrieb Dr. Johannes Zellner:</div><div><br><blockquote type="cite"><div dir="ltr">how do owncloud clients work when apache is configured with ssl client certificate authentification?</div>
</blockquote><div><br></div></div><div>Neither the desktop nor the mobile clients support certificate authentication at this point, see below for details.</div><div><br><blockquote type="cite"><div dir="ltr"><div>
does the windows client work with a client certificate?</div></div></blockquote><div><br></div></div><div>The Desktop Client (which has the same codebase for all OSes), has <a href="https://github.com/owncloud/mirall/issues/69" title="Der externe Link wird in einem neuen Fenster geöffnet" target="_blank">https://github.com/owncloud/mirall/issues/69</a> filed for that. It's not yet scheduled for any release, but if you look at the bug report, someone has volunteered to look into it, although it's been a few weeks since I last heard of him.</div>
<div><br></div><div>The interesting question from my (the client) perspective is: (how) did you make it work on the server? IMHO client certificates are only interesting if ownCloud automatically maps them to a user (as opposed to just being in front of http basic auth as a second layer), and afaik there is no user backend for the server that implements such functionality.</div>
<div><div><br></div><blockquote type="cite"><div dir="ltr"><div>does mounting via davfs2 on linux work with a client certificate?</div>
</div></blockquote><br></div></div><div>Haven't tested that yet myself. The man page indicates that it does. </div><div><br></div><div>Cheers,</div><div> Daniel</div><br><div>
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<div>--</div><div><a href="http://www.owncloud.com" title="Der externe Link wird in einem neuen Fenster geöffnet" target="_blank">www.owncloud.com</a> - Your Data, Your Cloud, Your Way!</div><div><br>ownCloud GmbH, GF: Markus Rex, Holger Dyroff<br>
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)</div>
</div></span></div></span></span>
</div>
<br></div></div><br>_______________________________________________<br>
Owncloud mailing list<br>
<a href="mailto:Owncloud@kde.org" title="Der externe Link wird in einem neuen Fenster geöffnet" target="_blank">Owncloud@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/owncloud" title="Der externe Link wird in einem neuen Fenster geöffnet" target="_blank">https://mail.kde.org/mailman/listinfo/owncloud</a><br>
<br></blockquote></div><br></div></div>
<pre>_______________________________________________<br>
Owncloud mailing list<br>
<a href="mailto:Owncloud@kde.org" target="_blank">Owncloud@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/owncloud" target="_blank">https://mail.kde.org/mailman/listinfo/owncloud</a><br>
</pre>
</blockquote>
</div>
</div></div></blockquote>
</div>
<br>_______________________________________________<br>
Owncloud mailing list<br>
<a href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/owncloud" target="_blank">https://mail.kde.org/mailman/listinfo/owncloud</a><br>
<br></blockquote></div><br></div>