Hi,
I just patched ocsync to allow for CA and client certificates.
The patch is attached and applies to ocsync as from pulled from git://
git.csync.org/users/freitag/csync.git
The syntax is pretty obvious IMHO and is described in the help:
--ca-cert=<file> file name of CA certificate
--client-cert=<file> file name of client certificate
--client-cert-pass=<p> password of client certificate
This allows ocsync to connect to a server which is protected by a
(self-signed) client certificate.
The ca file will usually be a PEM file, the client certificate will usually
be in p12 format.
I added corresponding properties ca_certificate, client_certificate and
client_certificate_pass to csync_owncloud.[ch], which could also be used by
the gui.
This relates to https://github.com/owncloud/mirall/issues/69
*Anyone volunteers to do the gui stuff? (I'm afraid of beeing not
experienced enough to do this).*
*It would be nice if this could make it to the official sources soon.*
--
Johannes.
2013/10/31 Dr. Johannes Zellner <[email protected]>
> Hi,
>
> thanks, but that's not what I thought of. Authorization via client
> certificate DOES already work if used from a web browser.
>
> What I'd like to have is the owncloud client (windows or linux gui) to use
> a client certificate to authenticate to a server which allows connection
> only by a client certificate.
> This doesn't work yet unfortunately.
>
> --
> Dr. Johannes Zellner <[email protected]>
>
>
> 2013/10/31 Mario Klug <[email protected]>
>
>>
>> Sorry, this was a mistake.
>>
>> You'd have to check if $_SERVER['SSL_CLIENT_VERIFY'] says "SUCCESS". If
>> no certificate is available it's also there but the value is "NONE".
>>
>> Regards
>> Mario
>>
>> -----Ursprüngliche Nachricht-----
>> *Von:* Mario Klug <[email protected]>
>> *Gesendet:* Don 31 Oktober 2013 08:05
>> *An:* [email protected]
>> *Betreff:* AW: [Owncloud] oc with ssl client certificate
>>
>>
>> Hi Johannes,
>> I haven't tried it by myself but theoratically when using a client
>> certificate the apache webserver adds SSL_SERVER_I_DN_CN and
>> SSL_SERVER_I_DN_Email to the $_SERVER array.
>>
>> This makes it very easy to add a check if a certificate is available in
>> index.php.
>>
>> if(!isset($_SERVER['SSL_SERVER_I_DN_CN'])) {
>>
>> die('You must provide a valid client certificate!');
>> }
>>
>> When anybody opens your owncloud without a certificate he will receive a
>> blank page which tells "You must provide a valid client certificate".
>> If the browser send this certificate the login should appear as usual.
>>
>> Hope this helps as workaround.
>>
>> Regards
>> Mario
>>
>> -----Ursprüngliche Nachricht-----
>> *Von:* Dr. Johannes Zellner <[email protected]>
>> *Gesendet:* Mit 30 Oktober 2013 22:49
>> *An:* [email protected]
>> *Betreff:* Re: [Owncloud] oc with ssl client certificate
>>
>> Hi,
>>
>> thanks.
>>
>> *The interesting question from my (the client) perspective is: (how) did
>> you make it work on the server?*
>>
>> It's as simple as having the client certificate to grant (and be
>> required) to access the web server.
>> Afterwards I've to log into owncloud as usual.
>>
>> So this is a two stage login process, which...
>>
>> 1. ...prevents anybody who doesn't have a valid client certificat to even
>> see the login page
>> 2. ...still allows to log into owncloud under different accounts, e.g. an
>> admin and a user account (if you have the certificate)
>>
>> This is perfectly what I like and what works inside a web browser.
>> In fact I wouldn't like the certificate to be linked to an owncloud
>> account as it wouldn't allow me to log in under different accounts any more.
>> I believe that this is a very common scenario that someone wishes to
>> double-protect a private owncloud server.
>>
>> so it would be nice to have client authentication working with the
>> owncloud clients.
>>
>> regards,
>>
>> --
>> Johannes
>>
>>
>> 2013/10/30 Daniel Molkentin <[email protected]>
>>
>>> Hi Johannes,
>>>
>>> Am 30.10.2013 um 17:03 schrieb Dr. Johannes Zellner:
>>>
>>> how do owncloud clients work when apache is configured with ssl client
>>> certificate authentification?
>>>
>>>
>>> Neither the desktop nor the mobile clients support certificate
>>> authentication at this point, see below for details.
>>>
>>> does the windows client work with a client certificate?
>>>
>>>
>>> The Desktop Client (which has the same codebase for all OSes), has
>>> https://github.com/owncloud/mirall/issues/69 filed for that. It's not
>>> yet scheduled for any release, but if you look at the bug report, someone
>>> has volunteered to look into it, although it's been a few weeks since I
>>> last heard of him.
>>>
>>> The interesting question from my (the client) perspective is: (how) did
>>> you make it work on the server? IMHO client certificates are only
>>> interesting if ownCloud automatically maps them to a user (as opposed to
>>> just being in front of http basic auth as a second layer), and afaik there
>>> is no user backend for the server that implements such functionality.
>>>
>>> does mounting via davfs2 on linux work with a client certificate?
>>>
>>>
>>> Haven't tested that yet myself. The man page indicates that it does.
>>>
>>> Cheers,
>>> Daniel
>>>
>>> --
>>> www.owncloud.com - Your Data, Your Cloud, Your Way!
>>>
>>> ownCloud GmbH, GF: Markus Rex, Holger Dyroff
>>> Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
>>>
>>>
>>> _______________________________________________
>>> Owncloud mailing list
>>> [email protected]
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>
>>>
>> _______________________________________________
>>
>> Owncloud mailing list
>> [email protected]
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> [email protected]
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
>
diff -cr ocsync.orig/client/csync_client.c ocsync/client/csync_client.c
*** ocsync.orig/client/csync_client.c 2013-11-02 21:42:53.659029039 +0100
--- ocsync/client/csync_client.c 2013-11-02 21:23:02.000000000 +0100
***************
*** 61,66 ****
--- 61,69 ----
--test-statedb Test creation of the statedb. Runs update\n\
detection.\n\
--test-update Test the update detection\n\
+ --ca-cert=<file> file name of CA certificate\n\
+ --client-cert=<file> file name of client certificate\n\
+ --client-cert-pass=<p> password of client certificate\n\
-?, --help Give this help list\n\
--usage Give a short usage message\n\
-V, --version Print program version\n\
***************
*** 82,87 ****
--- 85,93 ----
{"version", no_argument, 0, 'V' },
{"usage", no_argument, 0, 'h' },
{"proxy", required_argument, 0, 'p' },
+ {"ca-cert", required_argument, 0, 0 },
+ {"client-cert", required_argument, 0, 0 },
+ {"client-cert-pass",required_argument, 0, 0 },
{0, 0, 0, 0}
};
***************
*** 98,103 ****
--- 104,112 ----
int propagate;
bool with_conflict_copys;
char *http_proxy;
+ char *ca_certificate;
+ char *client_certificate;
+ char *client_certificate_pass;
};
static void print_version()
***************
*** 175,180 ****
--- 184,195 ----
csync_args->reconcile = 0;
csync_args->propagate = 0;
/* printf("Argument: test-statedb\n"); */
+ } else if(c_streq(opt->name, "ca-cert")) {
+ csync_args->ca_certificate = c_strdup(optarg);
+ } else if(c_streq(opt->name, "client-cert")) {
+ csync_args->client_certificate = c_strdup(optarg);
+ } else if(c_streq(opt->name, "client-cert-pass")) {
+ csync_args->client_certificate_pass = c_strdup(optarg);
} else {
fprintf(stderr, "Argument: No idea what!\n");
}
***************
*** 207,212 ****
--- 222,230 ----
arguments.propagate = 1;
arguments.with_conflict_copys = false;
arguments.http_proxy = NULL;
+ arguments.ca_certificate = NULL;
+ arguments.client_certificate = NULL;
+ arguments.client_certificate_pass = NULL;
parse_args(&arguments, argc, argv);
/* two options must remain as source and target */
***************
*** 291,296 ****
--- 309,326 ----
}
}
+ if (arguments.ca_certificate) {
+ csync_set_module_property(csync, "ca_certificate", arguments.ca_certificate);
+ }
+
+ if (arguments.client_certificate) {
+ csync_set_module_property(csync, "client_certificate", arguments.client_certificate);
+ }
+
+ if (arguments.client_certificate_pass) {
+ csync_set_module_property(csync, "client_certificate_pass", arguments.client_certificate_pass);
+ }
+
if (arguments.update) {
if (csync_update(csync) < 0) {
perror("csync_update");
diff -cr ocsync.orig/modules/csync_owncloud.c ocsync/modules/csync_owncloud.c
*** ocsync.orig/modules/csync_owncloud.c 2013-11-02 21:42:53.663029039 +0100
--- ocsync/modules/csync_owncloud.c 2013-11-02 21:19:52.000000000 +0100
***************
*** 576,581 ****
--- 576,582 ----
ne_set_server_auth(dav_session.ctx, ne_auth, 0 );
if( useSSL ) {
+
if (!ne_has_support(NE_FEATURE_SSL)) {
DEBUG_WEBDAV("Error: SSL is not enabled.");
rc = -1;
***************
*** 583,588 ****
--- 584,635 ----
}
ne_ssl_trust_default_ca( dav_session.ctx );
+
+ if (dav_session.ca_certificate) {
+
+ ne_ssl_certificate *cert = ne_ssl_cert_read(dav_session.ca_certificate);
+
+ if (cert) {
+ ne_ssl_trust_cert(dav_session.ctx, cert);
+ ne_ssl_cert_free(cert);
+ } else {
+ printf("Could not load CA cert: %s\n", ne_get_error(dav_session.ctx));
+ }
+ }
+
+
+ if (dav_session.client_certificate) {
+
+ ne_ssl_client_cert *ccert;
+
+ ccert = ne_ssl_clicert_read(dav_session.client_certificate);
+
+ if (ccert == NULL) {
+
+ /* handle error... */
+ printf("Could not load client cert: %s\n", ne_get_error(dav_session.ctx));
+
+ } else if (ne_ssl_clicert_encrypted(ccert)) {
+
+ if (!dav_session.client_certificate_pass) {
+ printf("Missing required password for encrypted client certificate.\n");
+ }
+
+ if (ne_ssl_clicert_decrypt(ccert, dav_session.client_certificate_pass)) {
+
+ /* could not decrypt! handle error... */
+ printf("Could not decrypt client cert: %s\n", ne_get_error(dav_session.ctx));
+ ne_ssl_clicert_free(ccert);
+ ccert = NULL;
+ }
+ }
+
+ if (ccert) {
+ ne_ssl_set_clicert(dav_session.ctx, ccert);
+ ne_ssl_clicert_free(ccert);
+ }
+ }
+
ne_ssl_set_verify( dav_session.ctx, verify_sslcert, 0 );
}
***************
*** 1818,1823 ****
--- 1865,1873 ----
READ_STRING_PROPERTY(proxy_host)
READ_STRING_PROPERTY(proxy_user)
READ_STRING_PROPERTY(proxy_pwd)
+ READ_STRING_PROPERTY(ca_certificate)
+ READ_STRING_PROPERTY(client_certificate)
+ READ_STRING_PROPERTY(client_certificate_pass)
#undef READ_STRING_PROPERTY
if (c_streq(key, "proxy_port")) {
***************
*** 1931,1936 ****
--- 1981,1989 ----
SAFE_FREE( dav_session.proxy_host );
SAFE_FREE( dav_session.proxy_user );
SAFE_FREE( dav_session.proxy_pwd );
+ SAFE_FREE( dav_session.ca_certificate );
+ SAFE_FREE( dav_session.client_certificate );
+ SAFE_FREE( dav_session.client_certificate_pass );
SAFE_FREE( dav_session.session_key);
SAFE_FREE( dav_session.error_string );
diff -cr ocsync.orig/modules/csync_owncloud.h ocsync/modules/csync_owncloud.h
*** ocsync.orig/modules/csync_owncloud.h 2013-11-02 21:42:53.663029039 +0100
--- ocsync/modules/csync_owncloud.h 2013-11-02 21:16:11.000000000 +0100
***************
*** 146,151 ****
--- 146,154 ----
int proxy_port;
char *proxy_user;
char *proxy_pwd;
+ char *ca_certificate;
+ char *client_certificate;
+ char *client_certificate_pass;
char *session_key;
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
