search

CollaboraOnline / online

Collabora Online is a collaborative online office suite based on LibreOffice technology. This is also the source for the Collabora Office apps for iOS and Android.
https://collaboraonline.com
Other
1.78k stars 681 forks source link

'SSL verify=false' no longer works in collabora/code:24.04.5.1.1 -- self signed certificates are incorrectly blocked #9519

Closed LMRW closed 2 months ago

LMRW commented 2 months ago

Describe the Bug

Please see related issue for nextcloud/richdocuments here: https://github.com/nextcloud/richdocuments/issues/3824

The issue is when nextcloud/richdocuments specifies $options['verify'] = false, CollaboraOnline/online ignores this request and still complains about a self signed certificate.

Steps to Reproduce

  1. Configure CODE server via docker and nextcloud, install Nextcloud Office app into nextcloud
  2. Go to admin setting for 'office' in nextcloud
  3. Enable 'Disable certificate verification' option
  4. Use a self signed certificate for collabora
  5. Access a document in nextcloud
  6. You see the error 'Unauthorised WOPI host. Please try again later and report to your administrator if the issue persists. Authorization error was: 'self-signed certificate in certificate chain'.'
Screenshot 2024-07-16 at 16 36 33 Screenshot 2024-07-16 at 16 36 27

Expected Behavior

CollaboraOnline/online should respect $options['verify'] = false request from nextcloud/richdocuments, and allow a self signed certificate

Actual Behavior

Even when verify=false is sent to CODE server, it still does now allow self signed certificates.

Additional Context

THIS HAS BEEN TESTED AS BELOW:

BUG PRESENT IN DOCKER IMAGE collabora/code:24.04.4.2.1: NO BUG PRESENT IN DOCKER IMAGE collabora/collabora/code:24.04.5.1.1: YES

This means this bug is new and only recently introduced in version 24.04.5.1.1.

As such for the time being I have downgraded.

LMRW commented 2 months ago

Note: If this is expected behaviour (i.e. 24.04.5.1.1 requires different/additional arguments to allow self signed certs) I could not find the documentation for this, but it would be useful for the nextcloud/richdocuments to update to maintain compatibility. If however it is confirmed to be unexpected bug within 24.04.5.1.1 , I will close issue https://github.com/nextcloud/richdocuments/issues/3824

LMRW commented 2 months ago

How can I help get a fix for this through? Happy to help

juliushaertl commented 2 months ago

The options verify that richdocuments sets is only for verifying the Collabora certificate on the Nextcloud side. For Collabora verifying the Nextcloud certificate the relevant setting should be ssl.ssl_verification in coolwsd.xml. You probably need to adjust that, but I cannot tell why that might have changed in those Collabora versions.

LMRW commented 2 months ago

Very useful information thank you

If need be, can nextcloud tell Collabora to not perform this check?

LMRW commented 2 months ago

You also have given me a clue, so now maybe this weekend I can try modifying my docker container to get the latest version to work by adjusting ssl.ssl_verififcation.

I'll read up on what enviorment variables are possible and/or modify my built coolwsd.xml

thebearon commented 2 months ago

The advice from @juliushaertl is correct, in case of a Docker container, the parameter for this is -e "extra_params=--o:ssl.ssl_verification=false". The separate config was added in connection to the following CVE: https://github.com/CollaboraOnline/online/security/advisories/GHSA-crg3-fjm2-xvpq

LMRW commented 2 months ago

Great advice thank you

Can I ask where this was documented? As a user, it was working fine. Then it stopped. I didn't really have any indication why.