Fix up SSL client certificates #5213 #69 #5289
Conversation
guruz
force-pushed
the
fix_client_certs
branch
from
0b6b215 to
707541a
Compare
| @@ -144,7 +144,12 @@ void ConnectionValidator::slotStatusFound(const QUrl&url, const QVariantMap &inf | |||
| // status.php could not be loaded (network or server issue!). | |||
| void ConnectionValidator::slotNoStatusFound(QNetworkReply *reply) | |||
| { | |||
| qDebug() << Q_FUNC_INFO << reply->error() << reply->errorString(); | |||
| qDebug() << Q_FUNC_INFO << reply->error() << reply->errorString() << reply->peek(1024); | |||
There was a problem hiding this comment.
@ogoffart @ckamm @dragotin Would you judge this as OK? On startup..
The server (nginx at least) sends a HTTP 400 if there is no cert sent (for status.php). Then we'll load the credentials and retry (the connection validator seems to retry if reportResult that) when the cert (and other stuff) is fetched from keychain. Then it works..
Does this loading-from-keychain somehow interfere with SAML/Shibboleth or anything overriding the auth via theme? I guess not since the type of credentials is set in the cfg and not keychain?
There was a problem hiding this comment.
I don't know about this. Could we generally require that credentials must be loaded before we attempt to connect?
The re-enables the UI, uses Qt API for importing and stores the certificate/key in the system keychain. People who had set up client certs need to re-setup the account. This is ok since it was an undocumented feature anyway.
guruz
force-pushed
the
fix_client_certs
branch
from
707541a to
81631ee
Compare
guruz
added
ReadyToTest
| @@ -29,8 +29,11 @@ OwncloudConnectionMethodDialog::OwncloudConnectionMethodDialog(QWidget *parent) | |||
| connect(ui->btnClientSideTLS, SIGNAL(clicked(bool)), this, SLOT(returnClientSideTLS())); | |||
| connect(ui->btnBack, SIGNAL(clicked(bool)), this, SLOT(returnBack())); | |||
|
|
|||
| // DM: TLS Client Cert GUI support disabled for now | |||
|
|
|||
| #if QT_VERSION < QT_VERSION_CHECK(5, 4, 0) | |||
There was a problem hiding this comment.
No, for old versions we want to hide this button to not allow the user to configure anything.
This is based on 3dd6bcc
| QString s = QString::fromStdString(certif.Certificate); | ||
| QByteArray ba = s.toLocal8Bit(); | ||
| // to re-create the session ticket because we added a key/cert | ||
| acc->setSslConfiguration(QSslConfiguration()); |
There was a problem hiding this comment.
Does this line do anything? In particular, shouldn't the SslConfiguration returned from the next line be exactly the empty configuration passed in here?!
There was a problem hiding this comment.
No, setting a null configuration should make getOrCreateSslConfig return a new configuration filled in with some stuff already. The goal is also to clear any ssl session ticket etc out so we start with a new configuration state
There was a problem hiding this comment.
@ckamm Do you agree/understand? Then I can merge?
There was a problem hiding this comment.
@guruz Yes, right. Setting a null configuration will cause getOrCreateSslConfig to build a fresh configuration! All good.
| const char certifPathC[] = "certificatePath"; | ||
| const char certifPasswdC[] = "certificatePasswd"; | ||
| const char clientCertificatePEMC[] = "_clientCertificatePEM"; | ||
| const char clientKeyPEMC[] = "_clientKeyPEM"; |
There was a problem hiding this comment.
This means this change will force current users of client certificates to re-setup? (probably okay)
There was a problem hiding this comment.
Yes... IMHO that's ok because it was always an undocumented feature
There was a problem hiding this comment.
on the other hand, why changing?
There was a problem hiding this comment.
Because the config file is not a secure place to store a private key
| if (_ready) { | ||
| Q_EMIT fetched(); | ||
| } else { | ||
| // Read client cert from keychain | ||
| const QString kck = keychainKey(_account->url().toString(), _user + clientCertificatePEMC); |
There was a problem hiding this comment.
Is it correct that the PEM and the key are both considered secrets?
There was a problem hiding this comment.
Maybe not. Do you think I should store the cert in the config? I thought having it all in keychain is more clean
guruz
changed the title
| const char certifPathC[] = "certificatePath"; | ||
| const char certifPasswdC[] = "certificatePasswd"; | ||
| const char clientCertificatePEMC[] = "_clientCertificatePEM"; | ||
| const char clientKeyPEMC[] = "_clientKeyPEM"; |
There was a problem hiding this comment.
on the other hand, why changing?
|
|
||
| if (readJob->error() == NoError && readJob->binaryData().length() > 0) { | ||
| QByteArray clientKeyPEM = readJob->binaryData(); | ||
| // FIXME Unfortunately Qt has a bug and we can't just use QSsl::Opaque to let it |
There was a problem hiding this comment.
Has the bug been reported? If yes, a reference to the bug number here would be nice so we can remove that code in some year when we see it is fixed in the version we support.
The re-enables the UI, uses Qt API for importing and
stores the certificate/key in the keychain.