[Owncloud] oc with ssl client certificate
Dr. Johannes Zellner
johannes at zellner.org
Thu Oct 31 21:32:20 UTC 2013
Hi,
thanks, but that's not what I thought of. Authorization via client
certificate DOES already work if used from a web browser.
What I'd like to have is the owncloud client (windows or linux gui) to use
a client certificate to authenticate to a server which allows connection
only by a client certificate.
This doesn't work yet unfortunately.
--
Dr. Johannes Zellner <johannes at zellner.org>
2013/10/31 Mario Klug <mario at klug.me>
> **
>
>
> Sorry, this was a mistake.
>
> You'd have to check if $_SERVER['SSL_CLIENT_VERIFY'] says "SUCCESS". If
> no certificate is available it's also there but the value is "NONE".
>
> Regards
> Mario
>
> -----Ursprüngliche Nachricht-----
> *Von:* Mario Klug <mario at klug.me>
> *Gesendet:* Don 31 Oktober 2013 08:05
> *An:* owncloud at kde.org
> *Betreff:* AW: [Owncloud] oc with ssl client certificate
>
>
> Hi Johannes,
> I haven't tried it by myself but theoratically when using a client
> certificate the apache webserver adds SSL_SERVER_I_DN_CN and
> SSL_SERVER_I_DN_Email to the $_SERVER array.
>
> This makes it very easy to add a check if a certificate is available in
> index.php.
>
> if(!isset($_SERVER['SSL_SERVER_I_DN_CN'])) {
>
> die('You must provide a valid client certificate!');
> }
>
> When anybody opens your owncloud without a certificate he will receive a
> blank page which tells "You must provide a valid client certificate".
> If the browser send this certificate the login should appear as usual.
>
> Hope this helps as workaround.
>
> Regards
> Mario
>
> -----Ursprüngliche Nachricht-----
> *Von:* Dr. Johannes Zellner <johannes at zellner.org>
> *Gesendet:* Mit 30 Oktober 2013 22:49
> *An:* owncloud at kde.org
> *Betreff:* Re: [Owncloud] oc with ssl client certificate
>
> Hi,
>
> thanks.
>
> *The interesting question from my (the client) perspective is: (how) did
> you make it work on the server?*
> *
> *
> It's as simple as having the client certificate to grant (and be required)
> to access the web server.
> Afterwards I've to log into owncloud as usual.
>
> So this is a two stage login process, which...
>
> 1. ...prevents anybody who doesn't have a valid client certificat to even
> see the login page
> 2. ...still allows to log into owncloud under different accounts, e.g. an
> admin and a user account (if you have the certificate)
>
> This is perfectly what I like and what works inside a web browser.
> In fact I wouldn't like the certificate to be linked to an owncloud
> account as it wouldn't allow me to log in under different accounts any more.
> I believe that this is a very common scenario that someone wishes to
> double-protect a private owncloud server.
>
> so it would be nice to have client authentication working with the
> owncloud clients.
>
> regards,
>
> --
> Johannes
>
>
> 2013/10/30 Daniel Molkentin <danimo at owncloud.com>
>
>> Hi Johannes,
>>
>> Am 30.10.2013 um 17:03 schrieb Dr. Johannes Zellner:
>>
>> how do owncloud clients work when apache is configured with ssl client
>> certificate authentification?
>>
>>
>> Neither the desktop nor the mobile clients support certificate
>> authentication at this point, see below for details.
>>
>> does the windows client work with a client certificate?
>>
>>
>> The Desktop Client (which has the same codebase for all OSes), has
>> https://github.com/owncloud/mirall/issues/69 filed for that. It's not
>> yet scheduled for any release, but if you look at the bug report, someone
>> has volunteered to look into it, although it's been a few weeks since I
>> last heard of him.
>>
>> The interesting question from my (the client) perspective is: (how) did
>> you make it work on the server? IMHO client certificates are only
>> interesting if ownCloud automatically maps them to a user (as opposed to
>> just being in front of http basic auth as a second layer), and afaik there
>> is no user backend for the server that implements such functionality.
>>
>> does mounting via davfs2 on linux work with a client certificate?
>>
>>
>> Haven't tested that yet myself. The man page indicates that it does.
>>
>> Cheers,
>> Daniel
>>
>> --
>> www.owncloud.com - Your Data, Your Cloud, Your Way!
>>
>> ownCloud GmbH, GF: Markus Rex, Holger Dyroff
>> Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
> _______________________________________________
>
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20131031/dd95fdfd/attachment.html>
More information about the Owncloud
mailing list