[Owncloud] oc with ssl client certificate
Mario Klug
mario at klug.me
Thu Oct 31 07:07:32 UTC 2013
Sorry, this was a mistake.
You'd have to check if $_SERVER['SSL_CLIENT_VERIFY'] says "SUCCESS". If no certificate is available it's also there but the value is "NONE".
Regards
Mario
-----Ursprüngliche Nachricht-----
Von: Mario Klug <mario at klug.me>
Gesendet: Don 31 Oktober 2013 08:05
An: owncloud at kde.org
Betreff: AW: [Owncloud] oc with ssl client certificate
Hi Johannes,
I haven't tried it by myself but theoratically when using a client certificate the apache webserver adds SSL_SERVER_I_DN_CN and SSL_SERVER_I_DN_Email to the $_SERVER array.
This makes it very easy to add a check if a certificate is available in index.php.
if(!isset($_SERVER['SSL_SERVER_I_DN_CN'])) {
die('You must provide a valid client certificate!');
}
When anybody opens your owncloud without a certificate he will receive a blank page which tells "You must provide a valid client certificate".
If the browser send this certificate the login should appear as usual.
Hope this helps as workaround.
Regards
Mario
-----Ursprüngliche Nachricht-----
Von: Dr. Johannes Zellner <johannes at zellner.org>
Gesendet: Mit 30 Oktober 2013 22:49
An: owncloud at kde.org
Betreff: Re: [Owncloud] oc with ssl client certificate
Hi,
thanks.
The interesting question from my (the client) perspective is: (how) did you make it work on the server?
It's as simple as having the client certificate to grant (and be required) to access the web server.
Afterwards I've to log into owncloud as usual.
So this is a two stage login process, which...
1. ...prevents anybody who doesn't have a valid client certificat to even see the login page
2. ...still allows to log into owncloud under different accounts, e.g. an admin and a user account (if you have the certificate)
This is perfectly what I like and what works inside a web browser.
In fact I wouldn't like the certificate to be linked to an owncloud account as it wouldn't allow me to log in under different accounts any more.
I believe that this is a very common scenario that someone wishes to double-protect a private owncloud server.
so it would be nice to have client authentication working with the owncloud clients.
regards,
--
Johannes
2013/10/30 Daniel Molkentin <danimo at owncloud.com <mailto:danimo at owncloud.com> >
Hi Johannes,
Am 30.10.2013 um 17:03 schrieb Dr. Johannes Zellner:
how do owncloud clients work when apache is configured with ssl client certificate authentification?
Neither the desktop nor the mobile clients support certificate authentication at this point, see below for details.
does the windows client work with a client certificate?
The Desktop Client (which has the same codebase for all OSes), has https://github.com/owncloud/mirall/issues/69 filed for that. It's not yet scheduled for any release, but if you look at the bug report, someone has volunteered to look into it, although it's been a few weeks since I last heard of him.
The interesting question from my (the client) perspective is: (how) did you make it work on the server? IMHO client certificates are only interesting if ownCloud automatically maps them to a user (as opposed to just being in front of http basic auth as a second layer), and afaik there is no user backend for the server that implements such functionality.
does mounting via davfs2 on linux work with a client certificate?
Haven't tested that yet myself. The man page indicates that it does.
Cheers,
Daniel
--
www.owncloud.com <http://www.owncloud.com> - Your Data, Your Cloud, Your Way!
ownCloud GmbH, GF: Markus Rex, Holger Dyroff
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
_______________________________________________
Owncloud mailing list
Owncloud at kde.org <mailto:Owncloud at kde.org>
https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
Owncloud at kde.org
https://mail.kde.org/mailman/listinfo/owncloud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20131031/1eb60ea0/attachment.html>
More information about the Owncloud
mailing list