Make external shares work with imported self signed certificates #10420
Conversation
|
Fixes #9786 |
|
looks good. 👍 |
lib/private/certificatemanager.php
Outdated
There was a problem hiding this comment.
openssl_pkey_get_public is not a proper way to check whether a certificate is valid. I'll hijack this PR later to adjust this.
|
In my opinion we should also have a system wide certificate manager and not only one per user. Opinions? |
There was a problem hiding this comment.
Shouldn't we move this to out of files_external and change this to core?
There was a problem hiding this comment.
Was planning that for a future pr, together with ajaxifying the add cert setting
|
Added checks for filename and changed directory permissions |
Agree, just wanted to keep this PR small |
|
I'll add unit unit tests and correct the certificate validity check later. Please don't merge yet. |
Not sure. On a system-wide level the admin can add the trusted root certs to the certificate bundle of his operating system. Users who want to trust their self-signed cert can't do it, that's why we provide the UI for them. |
We have to consider shared hosting environments etc. |
|
Also it's easier to tell an admin "upload your certificate at the admin settings" than telling them to investigate how their OS stores certificates :-) |
|
Moved the certificate manager interface to core and improved it, it now shows the common name, expire date and issuer for each certificate and expired certificates are highlighted in red. |
|
@jancborchardt can you check if the interface is up to standard? |
lib/private/certificatemanager.php
Outdated
There was a problem hiding this comment.
Please typehint the object you want __construct(IUser $user)
|
Forgot to commit some files... |
|
@icewind1991 why not use this since we already have this loaded http://phpseclib.sourceforge.net/x509/intro.html instead of hand writing all of it in certificate.php? |
Will only work after tomorrow
icewind1991
force-pushed
the
external-share-self-signed
branch
from
893905f to
4bc9980
Compare
|
A new inspection was created. |
|
🚀 Test Passed. 🚀 |
Make external shares work with imported self signed certificates
|
I don't think we'll want to backport such a huge change (CC @karlitschek). |
|
This would be a helpful feature but I agree that it is too risky for backport |
|
@icewind1991 is there a simpler solution / workaround for OC 7 to make it work ? |
|
Needs documenting for oc7 that self-signed certs won't work with mounting remote shares. It's a showstopper for S2S sharing. |
|
Is it somehow possible to completely turn off certificate verification for s2s? I have imported the self signed cert of the source server, but external storage connection is not established anyway:
Source server: oc 7.0.4, iis 7.5 win 7 x64, php 5.5.15 |
|
@LukasReschke anything we can do about this? THX |
|
@godfuture Can I ask you to open a new issue? THX |
|
Can't help without a copy of the certificate ;) |
|
@DeepDiver1975 |
This moves the logic for managing trusted certificates from files_external to core, note that the certs are still stored in the files_external folder for backwards compatibilty, this is transparent for any app using the api.
To test:
Next step is making a nice gui for trusting the certificate when trying to add an external share from an untrusted cert
cc @schiesbn @PVince81 @simsasaile