You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I checked for similar issues, but could not find any. I also checked the closed issues. I could not contribute additional information to any existing issue.
I will take the time to fill in all the required fields. I know that the bug report may be dismissed otherwise due to lack of information.
Describe the bug
Hello,
Thanks to issue #69 then MR #5289 in 2017, the desktop client should ask for a client certificate if the webserver requires it for early authentification also known as mTLS (or mutual TLS). It seems to no longer be the case, since the desktop client has changed throughout the years, especially with a migration to Qt6. For that reason I'm opening a new issue instead of reviving one from 7 years ago that perharps doesn't correlate to current codebase anymore.
Expected behavior
While error 400 is returned by the webserver not being presented with a valid client certificate, which is reported as debug line "error:0A000412:SSL routines::sslv3 alert bad certificate" by the client, the user should then be provided with a pop-up window suggesting to add a .p12 certificate.
Submit a server adress or domain in front of a webserver requiring a client certificate (also known as mTLS)
Screenshots
Please note the URL has been anonymized for this issue.
Logs
24-10-15 17:02:20:078 [ debug gui.setupwizard.controller ] [ OCC::Wizard::SetupWizardController::SetupWizardController(OCC::SettingsDialog*)::<lambda ]: next button clicked, current state OCC::Wizard::ServerUrlSetupWizardState(0xd500470)
24-10-15 17:02:20:177 [ critical gui.wizard.resolveurl ]: "Failed to resolve URL https://blabla.bleubl.eu, error: Erreur lors de la lecture : error:0A000412:SSL routines::sslv3 alert bad certificate"
24-10-15 17:02:20:179 [ debug gui.setupwizard.controller ] [ OCC::Wizard::SetupWizardController::changeStateTo ]: Current wizard state: OCC::Wizard::SetupWizardState::ServerUrlState
24-10-15 17:02:20:181 [ warning gui.wizard.resolveurl ]: "Could not detect compatible server at https://blabla.bleubl.eu"
24-10-15 17:02:31:874 [ debug gui.setupwizard.controller ] [ OCC::Wizard::SetupWizardController::SetupWizardController(OCC::SettingsDialog*)::<lambda ]: wizard window closed
Client version number
ownCloud 5.3.1.14018 f15fd5
Libraries Qt 6.4.3, OpenSSL 3.1.2 1 Aug 2023
Using virtual files plugin: suffix
OS: fedora-6.11.3-200.fc40.x86_64
QPA: xcb
Desktop environment (Linux only)
Fedora 40 – Gnome 46
Client package version and origin (Linux only)
ownCloud version 5.3.1.14018 — Fedora Official Repos
Installation path (Windows only)
No response
Server information
OCIS 6.5.0
RHEL 9.4
Caddy
Additional context
I'm able to set up and get OCIS runnig just fine without the client certificate required by the caddy webserver. Though the webserver is not at fault: other apps succeed with asking for a client certificate when required, and I've tested it with Nextcloud desktop client for example. However the lack of this security feature prevents me from switching everything to OCIS, which I'd love to do considering how much faster it has been during my testing.
The text was updated successfully, but these errors were encountered:
Pre-submission Checks
Describe the bug
Hello,
Thanks to issue #69 then MR #5289 in 2017, the desktop client should ask for a client certificate if the webserver requires it for early authentification also known as mTLS (or mutual TLS). It seems to no longer be the case, since the desktop client has changed throughout the years, especially with a migration to Qt6. For that reason I'm opening a new issue instead of reviving one from 7 years ago that perharps doesn't correlate to current codebase anymore.
Expected behavior
While error 400 is returned by the webserver not being presented with a valid client certificate, which is reported as debug line "error:0A000412:SSL routines::sslv3 alert bad certificate" by the client, the user should then be provided with a pop-up window suggesting to add a .p12 certificate.
Qt6 documentation still supports PKCS#12 : https://doc.qt.io/qt-6/qsslcertificate.html
Steps to reproduce the issue
Screenshots
Please note the URL has been anonymized for this issue.
Logs
24-10-15 17:02:20:078 [ debug gui.setupwizard.controller ] [ OCC::Wizard::SetupWizardController::SetupWizardController(OCC::SettingsDialog*)::<lambda ]: next button clicked, current state OCC::Wizard::ServerUrlSetupWizardState(0xd500470)
24-10-15 17:02:20:177 [ critical gui.wizard.resolveurl ]: "Failed to resolve URL https://blabla.bleubl.eu, error: Erreur lors de la lecture : error:0A000412:SSL routines::sslv3 alert bad certificate"
24-10-15 17:02:20:179 [ debug gui.setupwizard.controller ] [ OCC::Wizard::SetupWizardController::changeStateTo ]: Current wizard state: OCC::Wizard::SetupWizardState::ServerUrlState
24-10-15 17:02:20:181 [ warning gui.wizard.resolveurl ]: "Could not detect compatible server at https://blabla.bleubl.eu"
24-10-15 17:02:31:874 [ debug gui.setupwizard.controller ] [ OCC::Wizard::SetupWizardController::SetupWizardController(OCC::SettingsDialog*)::<lambda ]: wizard window closed
Client version number
ownCloud 5.3.1.14018 f15fd5
Libraries Qt 6.4.3, OpenSSL 3.1.2 1 Aug 2023
Using virtual files plugin: suffix
OS: fedora-6.11.3-200.fc40.x86_64
QPA: xcb
Desktop environment (Linux only)
Fedora 40 – Gnome 46
Client package version and origin (Linux only)
ownCloud version 5.3.1.14018 — Fedora Official Repos
Installation path (Windows only)
No response
Server information
Additional context
I'm able to set up and get OCIS runnig just fine without the client certificate required by the caddy webserver. Though the webserver is not at fault: other apps succeed with asking for a client certificate when required, and I've tested it with Nextcloud desktop client for example. However the lack of this security feature prevents me from switching everything to OCIS, which I'd love to do considering how much faster it has been during my testing.
The text was updated successfully, but these errors were encountered: