search

termux / termux-packages

A package build system for Termux.
https://termux.dev
Other
13.33k stars 3.06k forks source link

[Bug]: cadaver can't decrypt the client certificate for webdav mtls auth #16681

Closed ippocratis closed 1 year ago

ippocratis commented 1 year ago

Problem description

I am running a dockerised webdav server https://github.com/dgraziotin/docker-nginx-webdav-nononsense behind reverse proxy and mutual tls with caddy

I use cadaver on android with termux installed with pkg install cadaver also have tsu installed

cadaver cant decrypt the p12 client certificate

What steps will reproduce the bug?

Open my webdav server

sudo cadaver https://mywebdav.instance.com

Throws error

Could not open collection: Could not read status line (TLS client certificate was requested): SSL error: sslv3 alert bad certificate

Set the client certificate

set client-cert /path/to/cert/client.p12

Open

open https://mywebdav.instance.com

Teturns

The server has requested a client certificate. Client certificate /storage/emulated/0/cert/v4/client.p12' is encrypted. Decryption password: Password incorrect, try again. Decryption password: Password incorrect, try again.

Cadaver wont accept my correct password and therefore can't decrypt the p12 cert

I also tried to use my .crt and .pem certs but those throw error

Could not load client certificate from /path/to/cert/client.crt'. Could not open collection: Could not read status line (TLS client certificate was requested): SSL error: sslv3 alert bad certificate

What is the expected behavior?

Cadaver should decrypt the client certificate so that it will be provided to the server for mutual authentication and therefore be able to mount the webdav remote

System information

termux-info:

Termux Variables:
TERMUX_API_VERSION=0.50.1
TERMUX_APK_RELEASE=GITHUB
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=5767
TERMUX_IS_DEBUGGABLE_BUILD=1
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://grimler.se/termux/termux-main stable main
# x11-repo (sources.list.d/x11.list)
deb https://grimler.se/termux/termux-x11 x11 main
# root-repo (sources.list.d/root.list)
deb https://grimler.se/termux/termux-root root stable
Updatable packages:
command-not-found/stable 2.1.0-24 aarch64 [upgradable from: 2.1.0-22]
gawk/stable 5.2.2 aarch64 [upgradable from: 5.2.1-1]
grep/stable 3.11 aarch64 [upgradable from: 3.10-1]
libmpfr/stable 4.2.0-p7-0 aarch64 [upgradable from: 4.2.0-p4-0]
libnettle/stable 3.9 aarch64 [upgradable from: 3.8.1]
libnghttp2/stable 1.53.0 aarch64 [upgradable from: 1.52.0]
libxml2/stable 2.11.3 aarch64 [upgradable from: 2.11.2]
termux-tools version:
1.38.1
Android version:
13
Kernel build information:
Linux localhost 4.14.290-lineageos-g2110d546a2e0 #1 SMP PREEMPT Sun Mar 19 17:24:03 UTC 2023 aarch64 Android
Device manufacturer:
Xiaomi
Device model:
Redmi Note 9S
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so

cadaver -V

shows

cadaver 0.24 neon 0.32.5: Library build, IPv6, Expat 2.5.0, zlib 1.2.13, OpenSSL 3.0.7 1 Nov 2022 (thread-safe). readline 8.2

openssl version

Shows

OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

sylirre commented 1 year ago

What OpenSSL version was used to encrypt the certificate?

ippocratis commented 1 year ago

What OpenSSL version was used to encrypt the certificate?

OpenSSL 1.1.1q 5 Jul 2022 on a raspberrypi Linux sway 5.15.78-1-MANJARO-ARM-RPI #1 SMP PREEMPT Sat Nov 12 17:13:38 UTC 2022 aarch64 GNU/Linux

I see that cadaver uses 3.0.7 1 Nov 2022 (is that somehow integrated to cadaver?)

I also have 3.1.0 14 Mar 2023 installed in termux

sylirre commented 1 year ago

Try re-encrypting your certificate with OpenSSL v3.x. There were changes made to encrypt functionality in the major update and I once get similar problem (not with cert, but with file).

ippocratis commented 1 year ago

Try re-encrypting your certificate with OpenSSL v3.x. There were changes made to encrypt functionality in the major update and I once get similar problem (not with cert, but with file).

I had to upgrade manjaro arm to get v3.x openssl

Cadaver can now decrypt the cert fine

BUT

This creates another issue more severe for my use case

Android cant decrypt the p12 cert created with openssl 3 when trying to install it in the devices user cert store

I need that for apps and the browser that user the device user cert store for mutual tls authentication

ippocratis commented 1 year ago

Converting the p12 to legacy mode did the trick

openssl pkcs12 -nodes < your.p12 > /tmp/certbag.pem

openssl pkcs12 -export -legacy -in /tmp/certbag.pem > /tmp/legacy.p12

https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-in-android-wrong-password-bug

Thanks

Closing