[Owncloud] oc with ssl client certificate

Dr. Johannes Zellner johannes at zellner.org
Sat Nov 2 21:09:06 UTC 2013 

Hi,

I just patched ocsync to allow for CA and client certificates.
The patch is attached and applies to ocsync as from pulled from git://
git.csync.org/users/freitag/csync.git

The syntax is pretty obvious IMHO and is described in the help:

    --ca-cert=<file>       file name of CA certificate
    --client-cert=<file>   file name of client certificate
    --client-cert-pass=<p> password of client certificate

This allows ocsync to connect to a server which is protected by a
(self-signed) client certificate.

The ca file will usually be a PEM file, the client certificate will usually
be in p12 format.

I added corresponding properties ca_certificate, client_certificate and
client_certificate_pass to csync_owncloud.[ch], which could also be used by
the gui.

This relates to https://github.com/owncloud/mirall/issues/69

*Anyone volunteers to do the gui stuff? (I'm afraid of beeing not
experienced enough to do this).*

*It would be nice if this could make it to the official sources soon.*

-- 
Johannes.


2013/10/31 Dr. Johannes Zellner <johannes at zellner.org>

> Hi,
>
> thanks, but that's not what I thought of. Authorization via client
> certificate DOES already work if used from a web browser.
>
> What I'd like to have is the owncloud client (windows or linux gui) to use
> a client certificate to authenticate to a server which allows connection
> only by a client certificate.
> This doesn't work yet unfortunately.
>
> --
> Dr. Johannes Zellner <johannes at zellner.org>
>
>
> 2013/10/31 Mario Klug <mario at klug.me>
>
>>
>> Sorry, this was a mistake.
>>
>> You'd have to check if $_SERVER['SSL_CLIENT_VERIFY'] says "SUCCESS".  If
>> no certificate is available it's also there but the value is "NONE".
>>
>> Regards
>> Mario
>>
>> -----Ursprüngliche Nachricht-----
>> *Von:* Mario Klug <mario at klug.me>
>> *Gesendet:* Don 31 Oktober 2013 08:05
>> *An:* owncloud at kde.org
>> *Betreff:* AW: [Owncloud] oc with ssl client certificate
>>
>>
>>  Hi Johannes,
>> I haven't tried it by myself but theoratically when using a client
>> certificate the apache webserver adds SSL_SERVER_I_DN_CN and
>> SSL_SERVER_I_DN_Email to the $_SERVER array.
>>
>> This makes it very easy to add a check if a certificate is available in
>> index.php.
>>
>> if(!isset($_SERVER['SSL_SERVER_I_DN_CN'])) {
>>
>>     die('You must provide a valid client certificate!');
>> }
>>
>> When anybody opens your owncloud without a certificate he will receive a
>> blank page which tells "You must provide a valid client certificate".
>> If the browser send this certificate the login should appear as usual.
>>
>> Hope this helps as workaround.
>>
>> Regards
>> Mario
>>
>> -----Ursprüngliche Nachricht-----
>> *Von:* Dr. Johannes Zellner <johannes at zellner.org>
>> *Gesendet:* Mit 30 Oktober 2013 22:49
>> *An:* owncloud at kde.org
>> *Betreff:* Re: [Owncloud] oc with ssl client certificate
>>
>> Hi,
>>
>> thanks.
>>
>> *The interesting question from my (the client) perspective is: (how) did
>> you make it work on the server?*
>>
>> It's as simple as having the client certificate to grant (and be
>> required) to access the web server.
>> Afterwards I've to log into owncloud as usual.
>>
>> So this is a two stage login process, which...
>>
>> 1. ...prevents anybody who doesn't have a valid client certificat to even
>> see the login page
>> 2. ...still allows to log into owncloud under different accounts, e.g. an
>> admin and a user account (if you have the certificate)
>>
>> This is perfectly what I like and what works inside a web browser.
>> In fact I wouldn't like the certificate to be linked to an owncloud
>> account as it wouldn't allow me to log in under different accounts any more.
>> I believe that this is a very common scenario that someone wishes to
>> double-protect a private owncloud server.
>>
>> so it would be nice to have client authentication working with the
>> owncloud clients.
>>
>> regards,
>>
>> --
>> Johannes
>>
>>
>> 2013/10/30 Daniel Molkentin <danimo at owncloud.com>
>>
>>> Hi Johannes,
>>>
>>> Am 30.10.2013 um 17:03 schrieb Dr. Johannes Zellner:
>>>
>>> how do owncloud clients work when apache is configured with ssl client
>>> certificate authentification?
>>>
>>>
>>> Neither the desktop nor the mobile clients support certificate
>>> authentication at this point, see below for details.
>>>
>>> does the windows client work with a client certificate?
>>>
>>>
>>> The Desktop Client (which has the same codebase for all OSes), has
>>> https://github.com/owncloud/mirall/issues/69 filed for that. It's not
>>> yet scheduled for any release, but if you look at the bug report, someone
>>> has volunteered to look into it, although it's been a few weeks since I
>>> last heard of him.
>>>
>>> The interesting question from my (the client) perspective is: (how) did
>>> you make it work on the server? IMHO client certificates are only
>>> interesting if ownCloud automatically maps them to a user (as opposed to
>>> just being in front of http basic auth as a second layer), and afaik there
>>> is no user backend for the server that implements such functionality.
>>>
>>> does mounting via davfs2 on linux work with a client certificate?
>>>
>>>
>>> Haven't tested that yet myself. The man page indicates that it does.
>>>
>>> Cheers,
>>>   Daniel
>>>
>>>  --
>>> www.owncloud.com - Your Data, Your Cloud, Your Way!
>>>
>>> ownCloud GmbH, GF: Markus Rex, Holger Dyroff
>>> Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
>>>
>>>
>>> _______________________________________________
>>> Owncloud mailing list
>>> Owncloud at kde.org
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>
>>>
>> _______________________________________________
>>
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20131102/f382cf79/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ocsync_certs.patch
Type: text/x-patch
Size: 6640 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20131102/f382cf79/attachment.bin>

More information about the Owncloud mailing list