Closed martinKupec closed 7 years ago
We have the same situation and cannot use the client until it can provide certificates.
Preferebly it would use the windows certificate store or the one from firefox.
We're just another group of people which is interested in this functionality. It would appreciated if You would implement this.
Yessir, interested in such a feature!
If there is so much interest, why does nobody come up with a patch then?
Waiting for this!!
+1 for this feature!
Added outline on how to implement the feature.
I'm currently using stunnel to create a https->http "tunnel" as an ugly hack to get this functionality. It works okay-ish, but having to start stunnel every time I start mirall is far from optimal.
Does anyone know whether there's any work happening on this? If not, I would be interested in looking at the source code to see what I can do.
@natschil I am not aware about anyone working on this. See my descriptions in the original report on what needs to be done. Don't hesitate to ask if you need further help.
I'll have a look at what I can do in the next few days. Is there an irc channel for mirall development somewhere?
#owncloud-client-dev
I just patched ocsync to allow for CA and client certificates. I mailed the patch to owncloud@kde.org as I don't know how to add it here.
The syntax is pretty obvious IMHO and is described in the new help:
--ca-cert=<file> file name of CA certificate
--client-cert=<file> file name of client certificate
--client-cert-pass=<p> password of client certificate
This allows ocsync to connect to a server which is protected by a (self-signed) client certificate.
The ca file will usually be a PEM file, the client certificate will usually be in p12 format.
I added corresponding properties ca_certificate, client_certificate and client_certificate_pass to csync_owncloud.[ch], which could also be used by the gui.
Anyone volunteers to do the gui stuff? (I'm afraid of beeing not experienced enough to do this).
It would be nice if this could make it to the official sources soon.
Thanks for doing this! I also have a set of (untested) patches for ocsync with client side ssl certificates, I can upload them somewhere if you want to compare yours with mine. Note that my patches only change the owncloud module of csync, and hence have no commandline arguments, but if I remember correctly, owncloud doesn't actually call the csync application w/ commandline parameters but instead dynamically loads a shared library or something. (I coded this about a month ago, and I don't remember the details).
I had a look at some of the GUI stuff too and made some preliminary changes ( such as changing the .ui files to accept client side ssl certificates, and changing some of the configuration file abstraction to be able to set client side ssl cert configuration options, but then I ran out of free time and didn't actually get to anything that works (writing Qt GUIs is not really my area of expertise either).
On 11/02/2013 10:09 PM, joze- wrote:
I just patched ocsync to allow for CA and client certificates. I mailed the patch to owncloud@kde.org mailto:owncloud@kde.org as I don't know how to add it here.
The syntax is pretty obvious IMHO and is described in the new help:
--ca-cert= file name of CA certificate --client-cert= file name of client certificate --client-cert-pass= password of client certificate
This allows ocsync to connect to a server which is protected by a (self-signed) client certificate.
The ca file will usually be a PEM file, the client certificate will usually be in p12 format.
I added corresponding properties ca_certificate, client_certificate and client_certificate_pass to csync_owncloud.[ch], which could also be used by the gui.
Anyone volunteers to do the gui stuff? (I'm afraid of beeing not experienced enough to do this).
It would be nice if this could make it to the official sources soon.
— Reply to this email directly or view it on GitHub https://github.com/owncloud/mirall/issues/69#issuecomment-27632558.
natschil // yes please make your code available, I'll check if I can make the best from both versions
Hi guys,
Funny enough, I also have a patch for related to ssl certificates: disabling the check altogether (originally because of self-signed cert on the server). It is actually controlled by the PATCH variable in my compilation script that was discussed on the mailing list. Not sure if we will need this anymore if we have --cert options your developed.
kuba
On Nov 3, 2013, at 8:24 PM, joze- notifications@github.com wrote:
natschil // yes please make your code available, I'll check if I can make the best from both versions
— Reply to this email directly or view it on GitHub.
This issue isn't related to ssl checks though, but to being able to provide a client side ssl certificate.
On 11/03/2013 08:37 PM, moscicki wrote:
Hi guys,
Funny enough, I also have a patch for related to ssl certificates: disabling the check altogether (originally because of self-signed cert on the server). It is actually controlled by the PATCH variable in my compilation script that was discussed on the mailing list. Not sure if we will need this anymore if we have --cert options your developed.
kuba
On Nov 3, 2013, at 8:24 PM, joze- notifications@github.com wrote:
natschil // yes please make your code available, I'll check if I can make the best from both versions
— Reply to this email directly or view it on GitHub.
— Reply to this email directly or view it on GitHub https://github.com/owncloud/mirall/issues/69#issuecomment-27652121.
Is there any plan to implement the function of client side ssl certificate in the Desktop Sync Client softwares? This functionality would be very much appreciated!
@icetype The feature is not scheduled for the next two major releases. Which pretty much means it's not on the roadmap. As indicated above, we're glad to assist anyone who attempts to implement SSL client certs as a coherent feature in the ownCloud Client.
Alternatively, you can always influence the main developers' priorities by purchasing an ownCloud commercial license and telling sales you need this particular feature.
Thank you for the information, danimo!
Could you guys please share patches you've got?
@natschil @moscicki Care to share your patches with @v6sa?
Sorry for not doing this earlier, I've been relatively busy recently and haven't gotten to working on this.... I've put a patch for csync and one for mirall here: https://github.com/natschil/owncloud_client_side_ssl_stuff
Notes: The csync patch is far more complete than the mirall one. I didn't completely understand the mirall codebase iirc, and so only made a few tentative changes. It may be of some help to someone looking at the scope of what needs to be change, but I would caution you that especially the mirall patch is far from comprehensive. The csync patch is, as far as I remember, relatively complete. (It is against git://git.csync.org/users/owncloud/csync.git )
Thank you, @natschil , for kindly proving your patches. I'm a complete newbie but will give it try to build them.
@icetype You can try to build the csync one (I think it compiles), but the owncloud patch doesn't actually do anything.....These patches are mainly meant for someone trying to develop client side ssl functionality to have a look at, they aren't actually working code. Sorry for being unclear...
@icetype If you're looking for using client side ssl certificates, I suggest you use stunnel to connect to your server, that has worked for me in the past.
@natschil Thank you for the information and kind suggestion. In fact, I tried to use ssh dynamic port forwarding with client-side ssl certificates and SOCK5 proxy setting in the ownCloud client. It seems to be working OK so far, although it may not be an ideal solution.
With a colleague, we did it with the last client's version (1.6) and Qt 5.0.
The client need a PKCS12 container to match the server certificate and established the SSL connection. Otherwise, the connection can't be established.
The window to configure the PKCS12 path pops when the returned SSL error is SSL_ERROR_HANDSHAKE_FAILURE_ALERT.
@Raptormagnum : Is your code somewhere in github? If yes, is this issue closed?
+1000 for client side SSL certificate support in the sync clients.
@monkeyhybrid Please refrain from adding useless + messages. Currently, we are not short of priorities. Let code speak and get your hands dirty. Or try money (there is a Bountysource set up for ownCloud, https://www.bountysource.com/teams/owncloud), to attract new contributors.
@danimo I'm currently trying to implement this feature. So far I have the csync part and a working owncloudcmd. The login works, but it seems that JournalDb has problems which is probably because I haven't added the client certificate to the QSslNetworkAccessManager.
Got any info where I have to add this (which files)? I tried to figure out how the QSslConfiguration part works but I'm new to all of this and can't really make sense of it.
FYI, I'm currently not trying to change the gui client. First I want to get the sync with owncloudcmd working before I start with the gui.
On which platform do you test it? When you have something workable, please let know how I may try it out... I am also interested in this.
I'm currently testing the client on ubuntu server 14.04. As I said, I'm only working on owncloudcmd, not the gui client but I will try to implement it there as well as soon as I got occmd working. (The it should be just a Qt thing...)
Once I'm done I'll put it online and post it here for everyone to try out.
PS: I'm thankfull for any help/info I can get with the NetworkAccessManager / QSslConfiguration part. I'm really stuck there atm.
Hi, I published a 1.6 version of a modified desktop client. This client was developped with Raptormagnum and is able to support a P12 client certificate. The source code need some improvement but you can get it here : https://github.com/nocteau/mirall/tree/1.6
@nocteau: thanks, we will check. Please bear with us that this will take some time.
Awesome, I'll try to build and run it tomorrow. I'll let you know if I run into any bugs :)
FYI, you need libcrypto and libopenssl to build.
@nocteau - https://github.com/nocteau/mirall/tree/1.6 i've packaged owncloud-client-1.7.0 for nixos and it is working. next i adapted the nix-expression it to use your 1.6 branch i can start the client but it segfaults (as described below in detail):
help: it seems the gdb trace from below does not give me enough details to know what causes the segfault.
i was using: cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_SKIP_BUILD_RPATH=ON -DCMAKE_INSTALL_PREFIX=$out ..
to build the software.
thanks for your effort to provide this patch, it is really valuable to have this client certificate feature in the owncloud-client.
i add my remote server (which has SSL client certificates enabled and works with firefox)
Faild to connect to ownCloud at https://foo.de/bar: SSL handshake failed
#0 0x0000000000451c98 in QString::QString(QString const&) ()
#1 0x00007ffff66fa4a2 in Mirall::HttpCredentials::HttpCredentials(QString const&, QString const&, QString const&, QString const&, QString const&) ()
from /nix/store/69llx5a5q9pvv1q7qyy84a3j0g9lsva7-owncloud-client-1.6.0/lib64/libowncloudsync.so.0
#2 0x0000000000469d19 in Mirall::OwncloudHttpCredsPage::getCredentials() const ()
#3 0x00000000004638a3 in Mirall::OwncloudWizard::getCredentials() const ()
#4 0x0000000000472fc1 in Mirall::OwncloudSetupWizard::slotConnectToOCUrl(QString const&) ()
#5 0x00000000004a5c9d in Mirall::OwncloudSetupWizard::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ()
#6 0x00007ffff22acd96 in QMetaObject::activate(QObject*, int, int, void**) () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Core.so.5
#7 0x00000000004a7873 in Mirall::OwncloudWizard::connectToOCUrl(QString const&) ()
#8 0x00000000004a742a in Mirall::OwncloudWizard::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ()
#9 0x00007ffff22acd96 in QMetaObject::activate(QObject*, int, int, void**) () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Core.so.5
#10 0x00000000004a6db5 in Mirall::OwncloudHttpCredsPage::connectToOCUrl(QString const&) ()
#11 0x0000000000469980 in Mirall::OwncloudHttpCredsPage::validatePage() ()
#12 0x00007ffff79177bf in QWizard::next() () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Widgets.so.5
#13 0x00007ffff22acd96 in QMetaObject::activate(QObject*, int, int, void**) () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Core.so.5
#14 0x00007ffff7a605e2 in QAbstractButton::clicked(bool) () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Widgets.so.5
#15 0x00007ffff77e9406 in ?? () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Widgets.so.5
#16 0x00007ffff77e97ee in QAbstractButton::click() () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Widgets.so.5
#17 0x00007ffff78d9aa5 in QDialog::keyPressEvent(QKeyEvent*) () from /nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1/lib/libQt5Widgets.so.5
nix-store --query --requisites /nix/store/69llx5a5q9pvv1q7qyy84a3j0g9lsva7-owncloud-client-1.6.0/bin/owncloud | sed -e 's/^/ /g'
/nix/store/fbrdhcwqnwg44c31wz9ng9qpc3lf8gmr-xproto-7.0.26
/nix/store/ghvrcvzzd83j4vvynm7kry4n9s42b986-linux-headers-3.7.1
/nix/store/i11d0d4015p0vbdnjq7lb509v9pwp049-glibc-2.19
/nix/store/4z6wpk99i5ibvlgmpddbmrhd0bvnq4mh-libXdmcp-1.1.1
/nix/store/vwfkdyc65x76glbkx6fbik97wiq5vv89-libXau-1.0.8
/nix/store/iyqc0amn4vcinyadrs7mg5w1im0nfg8n-libxcb-1.11
/nix/store/01cynfnbnyr49jx41a7ppgx3vgwn1pln-xcb-util-wm-0.4.1
/nix/store/6p7rwk5c23wsgkbhcg14dqg58yv5wcl5-libpciaccess-0.13.2
/nix/store/0p6x2lyb9s01wbsyi93hx281zjnwh799-libdrm-2.4.56
/nix/store/j9z585f73bl8i5r0q9pvzwanc7xh5fns-bash-4.2-p51
/nix/store/qf04wrishkjhk27yib92gnlasqg5s38n-attr-2.4.47
/nix/store/g0fzvg4adlwibyxa26jrvzdnpd63grnp-acl-2.2.52
/nix/store/mbq4nwsyjf3wpj00pxls75pikczizs16-coreutils-8.21
/nix/store/9ikh5ifbi15iq2d9kcgmg28kzzzw2jx1-zlib-1.2.8
/nix/store/n2zcibvfxg6k2wpiipd8bzmc46q0vjy6-gcc-4.8.3
/nix/store/ycmsiznf2484vbjwmj57jdy2ncyrj7fj-binutils-2.23.1
/nix/store/12k2cnlgppwzgwar7ipzpr9i6pv27rl0-gcc-wrapper-4.8.3
/nix/store/28k3shgd8h3f6gkx69bg2pd80933hlmw-kbproto-1.0.6
/nix/store/98bazl9c745c1q645y7l5nd9gpwg3zdd-libX11-1.6.2
/nix/store/9hbzyw01c76jx15d2bijfjpsy2yznr90-xextproto-7.3.0
/nix/store/7x10isnwjc3zc2zx1bjss1i9ynw1idax-libXext-1.3.3
/nix/store/kzv36v4yiaaxfhrbp4yz7hdh08ib93i3-inputproto-2.3.1
/nix/store/13qf3k6c4zd7pl48n5gbw0xlv75j1vqv-libXi-1.7.4
/nix/store/d2l0chpw8ys75nh2y8xb2bwbpl37igsw-libogg-1.3.2
/nix/store/19jg2m7lchszjsd0z4g8l7525k5cdnw3-libvorbis-1.3.4
/nix/store/3c2ylhmw1b4fwxjvnkn7xh5dk1194w65-cdparanoia-III-10.2
/nix/store/4gxphxmmy8rw81f0hk32r07zls3zczp5-libgpg-error-1.17
/nix/store/5176aycp30pyjbfvgwwa3rchkgvxq75q-libICE-1.0.9
/nix/store/qxfk6symx3qjkc3h76b20a952rx0mwj6-cracklib-2.9.1
/nix/store/5dsh816zhh6d26dv5j4npprchmrd22f3-linux-pam-1.1.8
/nix/store/7bwvyvzzar933samgplh6zjs1nq1pfqa-libmicrohttpd-0.9.38
/nix/store/ash6ha16a2rb2jyasxc8ljjjhp3iancv-util-linux-2.25.1
/nix/store/aw68yp4xj5bsn4rvrh8bn5b8pn4avv7d-libcap-2.22
/nix/store/by51b7f4rph8q6gf3g0i3dm0vyb20jhb-libffi-3.0.13
/nix/store/fayy66lhdkjcbpn7x6mycdlaya9r5vmm-sysvtools-2.88dsf
/nix/store/p0z2yw63cqwv0ics21s70ys4lc75swin-gzip-1.6
/nix/store/qcpcs24jzqa0v7ks06f7289mx3ghsly8-bzip2-1.0.6
/nix/store/hs0yycnf9mvirc4pqkbzv431gnb77sqg-kbd-1.15.3
/nix/store/k0bmql79s9przbx8m23bschh2ij634mf-kmod-18
/nix/store/lla8bj7kp6v306hi8rykmgxzrk9ld6cs-xz-5.0.5
/nix/store/6jvr2bi18p8dvgmw9l4akicd5ww4l0gq-pcre-8.35
/nix/store/6qvjjaywj6qf8jn9splpiz9qap01w36w-perl-5.16.3
/nix/store/ip711szwgvwx666pbrazh00ni3qkc1ad-openssl-1.0.1j
/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8
/nix/store/8vx2ary0m2bbhzgwlddmdcygnq511v96-libelf-0.8.13
/nix/store/xyb4p3di6zd4k77g92dp2a697wy4b4dw-glib-2.40.0
/nix/store/zxyd14xhzakvr3gai86pags7lhb3i223-libgcrypt-1.5.4
/nix/store/gphg2ga8hn4pp8bbhg574ypdp7m1qqi5-systemd-212
/nix/store/5pxyvah03v7d6khp5ajinl3gymb4q1c5-libusb-1.0.19
/nix/store/6mrq7apz8rpavi4x2vdkcafi6xcak768-xcb-util-0.3.9
/nix/store/5qp0qkyl64kkjmxakwjc3xxdrzdzv6ra-xcb-util-image-0.3.9
/nix/store/fkmvmjchjbxr2hq1lzzj402ib7x0w478-libxshmfence-1.1
/nix/store/g449mjvsk4b4mv1gyrdvgf4s5pv64d2q-fixesproto-5.0
/nix/store/wc6jrn0lhg52j57ls5wmk7gk9vizvd41-libXfixes-5.0.1
/nix/store/sw5q7ymzxm1pc5xjlbycf41avip4p1w1-damageproto-1.2.1
/nix/store/zma2zljjf60f3s09pbzxzinafkwi4wb2-libXdamage-1.1.4
/nix/store/jaq4xkjr736rypycxqjj3kqzd1a66xa1-xf86vidmodeproto-2.3.1
/nix/store/zmyphm8ba8h5kyb5jlcarhajfkm7sv04-libXxf86vm-1.1.3
/nix/store/az8kr8w6zc7q5ih7kfkjzqzgrjm7l3b3-ncurses-5.9
/nix/store/b6amr43h021kfkbwz6sgahvk1dsigsrn-llvm-3.4.2
/nix/store/j08ar697mnk532fqsj1pi1fvqgm31xzy-expat-2.1.0
/nix/store/x92c9kmnmhhjghxqbx2zwh5fcli2jvn0-wayland-1.6.0
/nix/store/zswissl3qwy88gsarhvhx40a4dcjak5h-mesa-noglu-10.2.6
/nix/store/6q1p1h68fi08xvla5705lcagcbv74kn0-glu-9.0.0
/nix/store/7wmlb3sxyzm51nlip8262373gjnb4l9g-gdbm-1.11
/nix/store/8kwy968j65jq0504nqxmr9fzk0ipbz8j-flac-1.3.0
/nix/store/pq0kvrsqsr1kfxmyx82yv4nfj3hk7hr0-gnused-4.2.2
/nix/store/cxdrb2xylajv8bmcldx9dm7m0lzpqfv5-pcre-8.35
/nix/store/wy6rp99f93j720ara5j40gzf6vwprw78-gnugrep-2.14
/nix/store/9b1d0cg0rqca149vkk2gydsz1qbw2zlm-libtool-2.4.2
/nix/store/ap6377gpymhy21bmdjxmp5r17cj3d6f0-json-c-0.12
/nix/store/im6klkaj84ynihwvlkxgdj1pa4sgsgag-alsa-lib-1.0.28
/nix/store/bv8kyk7m4qxwdwhsvcbgl9ap8wdpp9in-fftw-double-3.3.4
/nix/store/pv477vya5g1fd2w69h6bdigrp9qq106i-libsndfile-1.0.25
/nix/store/jpjlrxj7qdriky6cxflxg25ds904qcam-libsamplerate-0.1.8
/nix/store/k36im4ny7sfzl85vq8f33ns0g8bbxjgg-sbc-1.1
/nix/store/m2zwqdrbwmckn6yxa8xn8j30spvrikg5-dbus-libs-1.8.6
/nix/store/zvx2gl5sc70zkxd7zg960wzk3z0df12v-speex-1.2rc1
/nix/store/9fhiqafci21xzi4ydniwrp9ryw8nazq8-pulseaudio-5.0
/nix/store/bgr331g3g3qrszv7955hpb2ivvh7x41s-icu4c-53.1
/nix/store/xhgxirigmla4m125mz7a6dq9hfksgjvb-libjpeg-turbo-1.3.1
/nix/store/msj9arkm72hfw0ahbqzz6j9kpahaashb-libtiff-4.0.3
/nix/store/xi6jimqv2gaxq8hks3vx9imnipmwizqv-libpng-1.6.13
/nix/store/dv98mk3w7jx8f60v5n54pi5vw009ik4v-cups-1.5.4
/nix/store/nilfv1d8h1y6jyfjii75pw0wbcab2psc-libxml2-2.9.2
/nix/store/f5zcp3sainsq9x3k2ssi40bpk1fsgwzq-libxslt-1.1.28
/nix/store/80p77l6xhhkcb68gc9w7b2n75a17l0ln-orc-0.4.22
/nix/store/cwh0g04ivgwrncaaadzb4dp5flkj82bp-pixman-0.32.6
/nix/store/dl2nh80wqi07l8d0cialg8n93aip53z2-libSM-1.2.2
/nix/store/s1n8g01x9slks39amxigr6l21gz2kp6n-freetype-2.5.3
/nix/store/ir037n9vz50zinmwyx5531scmgi54mqs-fontconfig-2.10.2
/nix/store/m91g8j22igb0b0614l1838f9na1wyypy-libXt-1.1.4
/nix/store/cbvi2l71kcr9qw0b8aczv6dvq2h9msdv-renderproto-0.11.1
/nix/store/m2n48dmc08sdhszj6hv47cjnc2mg9qkl-libXrender-0.9.8
/nix/store/qndzxq4zjf9vcd3s37cvmp2afi4vpx9j-libXft-2.3.2
/nix/store/gihkrnix1z6j5j3xv3rpabzcgv2ywavs-xlibs-wrapper
/nix/store/jj94376pxvz6ihrp58k8r8x9babzr9yp-cairo-1.12.16
/nix/store/zw8ps42gd299vg8cq8mjc8kw6nmzgvs2-videoproto-2.3.2
/nix/store/kgkhzmng0wq2156bscn0zv9d0gk6d9wc-libXv-1.0.10
/nix/store/mkjs797bw892gwhak43zkswfgp913sbc-libtheora-1.1.1
/nix/store/pcliiflfinm85bdygxjgq1fcwzyvxa1x-gstreamer-0.10.36
/nix/store/qcv2i77kly19lv7m1nhpyhw1zxi9ba3a-graphite2-1.2.4
/nix/store/z2a6qkxmig8zv4wlg3kid7mlsg7dssxz-harfbuzz-0.9.35
/nix/store/xajv130il78la12mlrwgvfl2ich32v11-pango-1.32.5
/nix/store/h89lyqgrvp16db9yca6bfdvyyjj3jrax-gst-plugins-base-0.10.36
/nix/store/fw3wfm9a3l80xrcw6rvf7v2zlzg5s7dc-readline-6.3p08
/nix/store/vjkl65bpzl39nfskl31x43x4bwipfqg3-gnutar-1.27.1
/nix/store/j0781x6b8a8dxkdzvpj00x1lrk4gfg61-postgresql-9.2.9
/nix/store/zqw2zji08jsxwnmpvg5if9p5sjnwrbz3-procps-3.3.10
/nix/store/kv3dvclv19h4iv3gqc3y63apfw55marc-mysql-5.1.73
/nix/store/aldpf37l4qi0c28f6f48lgcc6dc6x9dl-compositeproto-0.4.2
/nix/store/mmpvrwawy064dlv56c6qvy26258cyf12-libXcomposite-0.4.4
/nix/store/v1jcqalbh5ph20bd6ihjc8gck9i3pprs-xkeyboard-config-2.11
/nix/store/na38pna27fz68nf1f7bjxrn8yamk64fm-libxkbcommon-0.4.2
/nix/store/sxps3hfynbjw7l9d6ypbnhapg0z6b7sv-xcb-util-keysyms-0.3.9
/nix/store/yg67dg2gwy82nyln72wd5k3c2ydd58n0-sqlite-3.8.7
/nix/store/9c7bbf06x754428p3yax78b6ca00gxm8-giflib-5.1.0
/nix/store/zvhmj0p5xdhhg12i060qkfkpnpqn78d3-libwebp-0.4.1
/nix/store/nz184gqszb9470dq5zbd3w5r9wsxxf6g-qt-5.2.1
/nix/store/qsn0yqrbfs0674p47xsdwx3wh7g5vm4s-neon-0.29.6
/nix/store/xmksqnsalz3mmsizy42r5mcsj0dfmcpz-qtkeychain-0.4.0
/nix/store/69llx5a5q9pvv1q7qyy84a3j0g9lsva7-owncloud-client-1.6.0
@qknight : The problem is the empty password for PKCS12.
In fact, a PKCS12 is an encrypted container, which contain sensitive informations. So we didn't think the password could be blank.
To debug : If PKCS12 password is empty in GUI, the line of "mirall config file" concerning password is a null QString. After that, we need to read this password in "mirall config file".
I your case, it's null => segfault.
To allow empty password, you need to check if QString is null (in mirall config file).
i discovered this issue in your code (among a few other things which i will fix). however, this one is critical as it causes a segfault here. i can't understand why this code was working for you.
you need to apply this fix to stop the segfault from happening
diff --git a/src/wizard/owncloudwizard.cpp b/src/wizard/owncloudwizard.cpp
index 4de3c7e..df3d220 100644
--- a/src/wizard/owncloudwizard.cpp
+++ b/src/wizard/owncloudwizard.cpp
@@ -38,7 +38,7 @@ OwncloudWizard::OwncloudWizard(QWidget *parent)
: QWizard(parent),
_account(0),
_setupPage(new OwncloudSetupPage(this)),
- _httpCredsPage(new OwncloudHttpCredsPage),
+ _httpCredsPage(new OwncloudHttpCredsPage(this)),
_shibbolethCredsPage(new OwncloudShibbolethCredsPage),
_advancedSetupPage(new OwncloudAdvancedSetupPage),
_resultPage(new OwncloudWizardResultPage),
@@ -56,6 +56,7 @@ OwncloudWizard::OwncloudWizard(QWidget *parent)
setPage(WizardCommon::Page_Result, _resultPage);
diff --git a/src/wizard/owncloudhttpcredspage.h b/src/wizard/owncloudhttpcredspage.h
index 5d7e9d5..74b1c09 100644
--- a/src/wizard/owncloudhttpcredspage.h
+++ b/src/wizard/owncloudhttpcredspage.h
@@ -29,7 +29,7 @@ class OwncloudHttpCredsPage : public AbstractCredentialsWizardPage
{
Q_OBJECT
public:
- OwncloudHttpCredsPage(QWidget* parent=0);
+ OwncloudHttpCredsPage(QWidget* parent);
AbstractCredentials* getCredentials() const;
@qknight : This error is due to a merge mistake... Sorry for this. Your fix was pushed to our repository. Thank you.
Since I can't find any spare time to do this, here's a 50$ bounty. Hope it helps :) https://www.bountysource.com/issues/905047-ssl-client-certificate
@nocteau i got your mirall, version 1.6.4 GIT, working (after a very long debugging session) and it is looking promising. therefore, good work!
there are a few things i don't like:
good work so far. i would want to review the patch as a whole again as my primary target was to get it running first.
Can you create a merge request for this (against master)? I'd be happy to review that one!
Unfortunately, moving to master will be a bit of a pain if you introduced new files, due to the restructuring done there.
@danimo that patch isn't yet ready for a pull request but it looks very good already.
@nocteau could you please post me your vhost configuration for owncloud? right now i'm debugging the: 'AH01991: SSL input filter read failed' issue and since the connection is being forced down the copying to the SSLed owncloud instance does not work very well. i also had problems using TLS and was forced to use SSLv3 (which i consider insecure - 'https://wiki.bitnami.com/security/2014-10-15_POODLE_issue_with_SSLv3_(CVE-2014-3566)' ).
in /etc/apache2/sites-enabled/owncloud.conf i write:
SSLProtocol all -SSLv2 -SSLv3
and it always uses SSLv3:
[Mon Dec 15 13:53:48.879210 2014] [ssl:debug] [pid 2388] ssl_engine_kernel.c(1844): [client 1.1.1.1:59412] AH02041: Protocol: SSLv3, Cipher: ECDHE-RSA-AES256-SHA (256/256 bits)
sslConfig.setProtocol(QSsl::SslV3); // not a good default! (qknight)
good SSL defaults:
QSsl::TlsV1SslV3 4 On the client side, this will send a TLS 1.0 Client Hello, enabling TLSv1 and SSLv3 connections. On the server side, this will enable both SSLv3 and TLSv1 connections.
QSsl::SecureProtocols 5 The default option, using protocols known to be secure; currently behaves like TlsV1SslV3.
source: http://qt-project.org/doc/qt-4.8/qssl.html#SslProtocol-enum
@qknight : For SSLv3 issue : Best practises wants the server must choose the protocol. The server is responsible for security. It is not the role of the client. So, on client-side, it will be set to "automatic", or equivalent (SecureProtocols will be the best choice). You're on the right way. We already patch this issue.
For Apache issue : i think apache doesn't support SSL on name-based resolution (VirtualHost *:443 must be VirtualHost 1.2.3.4:443). We are on vacation, so we don't have access to our lab. We can't send our VHost for now. Sorry.
@Raptormagnum apache does support ssl/tls for name-based resolution. I have *:443 running for all my vhosts, you just need to set
SSLStrictSNIVHostCheck off
in /etc/apache2/ports.conf
From mod_ssl documentation, default value for SSLStrictSNIVHostCheck is off. We (nocteau and me) don't have to set this value, because we have only one certificate attached to one server. We don't use multi-certificates.
By the way, we use CentOS, i don't know the default value for Debian.
Thanks for the tip :+1:
Source : http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck
We have our own company certificate authority (CA) that's installed on all our machines. For example, on a Mac, our company CA is listed as a system-wide trusted CA in OSX's "Keychain Access" program. However, owncloud doesn't recognise this!
owncloud.org seems to use its own list of trusted CAs, not the CAs listed in the operating system.
+1000 for this feature to be added.
Update:
So I clicked "Accept this certificate". When I restarted owncloud.org, I didn't get the error!
I then restarted my computer and owncloud.org does indeed seem to be using our internal CA. Great!
Using owncloud.org 1.7.1 OSX Yosemite.
Hi,
I am deploying ownCloud to private environment . As I want to upload to my cloud confidental documents, I need some good security.
I have decided, that it would be nice to require SSL certificates from clients. This is pretty strong security measure. But I have found, that there is no support for this in mirall.
I kindly ask any mirall/csync developer, if it would be possible to add configure option for SSL client certificate. All what is needed is is to provide certificate when connecting to server. It should be simple task to someone familiar with the code.
Mirall uses QSslSocket and there are QSslSocket::setLocalCertificate and QSslSocket::setPrivateKey functions to set the certificate.
csync uses neon and it has ne_ssl_set_clicert function.
I will be happy to answer any question or test any code. Thank you.
Update from @danimo:
Ok, for someone who likes to pick this feature up, here is what needs to be done in more detail:
QSslConfiguration
of the globalQNetworkAccessManager
.If you want to start working on it, please contact me.