Support for SSL client certificates



  • My server requires SSL client certificates for authentication, so it would be nice to have that feature in davdroid.
    If nobody wants to implement this feature, I'll be glad to help out with it, but I'd have to talk with a project manager beforehand I guess.



  • I just happend to work on this recently. Please have a look at stephanritscher/davdroid@d1508df5277f474ee71f8e6fd899483a22b01c6a. There are some explanations of the current status in the first comment of the commit.



  • Hi dirdi,

    if you add the CA's certificate of the /server certificate/ to the
    Trusted credentials storage, this means that the client (your Android
    device) trusts the authenticity of the server. This is a very common use
    case.

    I was speaking about another use case, rather common in enterprise
    setups. Here both, the /client/ and the /server/ do have certificates to
    prove their authenticity. Handling the /server/ certificate is done as
    above. Additionally, the /client certificate/ has to be configured in
    the client including the private key of the certificate (this is what
    ticket #266 is about) and to the server (which can be done by making the
    CA's certificate of the /client certificate/ trusted for the web
    server). If the client fails to provide a /trusted client certificate/,
    the server will refuse the connection.

    I hope this helps for your understanding.

    Best regards,
    Stephan

    On 08/15/2014 10:47 PM, dirdi wrote:

    I do not see a need for such a feature: Just add the CA's root
    certificate to your android's /Trusted credentials storage/. This
    works fine for me.


    Reply to this email directly or view it on GitHub
    https://github.com/rfc2822/davdroid/issues/266#issuecomment-52355851.



  • Hi,

    of course you are absolutely right. I am familiar with client
    certificates but i misread the TS and thought he wants to connect to a
    server with a certificate signed by his own CA. However, i noticed my
    mistake after i posted the comment and deleted it right away. Now the
    thread is a bit messed, but this post should explain why ;)

    I'm sorry for the inconvenience,

    dirdi

    On 08/15/2014 11:02 PM, stephanritscher wrote:

    Hi dirdi,

    if you add the CA's certificate of the /server certificate/ to the
    Trusted credentials storage, this means that the client (your Android
    device) trusts the authenticity of the server. This is a very common use
    case.

    I was speaking about another use case, rather common in enterprise
    setups. Here both, the /client/ and the /server/ do have certificates to
    prove their authenticity. Handling the /server/ certificate is done as
    above. Additionally, the /client certificate/ has to be configured in
    the client including the private key of the certificate (this is what
    ticket #266 is about) and to the server (which can be done by making the
    CA's certificate of the /client certificate/ trusted for the web
    server). If the client fails to provide a /trusted client certificate/,
    the server will refuse the connection.

    I hope this helps for your understanding.

    Best regards,
    Stephan

    On 08/15/2014 10:47 PM, dirdi wrote:

    I do not see a need for such a feature: Just add the CA's root
    certificate to your android's /Trusted credentials storage/. This
    works fine for me.


    Reply to this email directly or view it on GitHub
    https://github.com/rfc2822/davdroid/issues/266#issuecomment-52355851.


    Reply to this email directly or view it on GitHub
    https://github.com/rfc2822/davdroid/issues/266#issuecomment-52357375.



  • Hi,
    I have a shared server hosting with OVH.
    I have no certificate for my website, because there is a certificate only for the cluster, which is not linked to individual site names.
    Wen I try and set up the connexion on my Galaxy S3, it's written: 'cannot verify hostname'.
    I can't get a self signed certificate to work, I tried to put one in the device, but it doesn't change anything.
    When I replace my website name by the cluster name (which has a certificate), I get: 'Invalid DAV response, no Cavdav available'.
    What can I do ?

    Thanks


  • developer

    @joe-13 This is in no way related to SSL client certificates which is the topic of this issue.



  • So, do you have any schedule for client certificate support? Have you already put this feature on the roadmap?

    regards, bf.



  • This is more of a "me too" but it would be nice if an implementation for this worked with the system-wide user certificate management.



  • @mmonaco: @stephanritscher has this in his fork, which I am currently using for this reason. Would be nice however if this would be supported in the official version. Maybe file a pull request for this feature stephan?


  • developer

    Which server do you use with client certificate authentication? Could you provide a test account?



  • @rfc2822 I use nginx+baikal (based on SabreDAV). Sorry, I cannot give you a test account at the moment (you would need a certificate from the specific CA). If I find time, I could set up a test server, but that would take more effort than I can currently afford.
    The code @stephanritscher provided does work like a charm for my system.



  • I'm using radicale with Apache 2.4. The setup is very simple with easy-rsa. If you can't get a package for it, just copy this dir to a temporary location:

    https://github.com/OpenVPN/easy-rsa/tree/release/2.x/easy-rsa/2.0
    

    Then to setup a throw-away CA and client key:

    $ . vars
    $ ./clean-all
    $ ./build-ca
    $ ./build-key client@test.loc
    

    Then on the Apache side, the relevant config items are

    SSLCACertificateFile /path/to/ca.crt
    SSLVerifyClient optional
    SSLUserName SSL_CLIENT_S_DN_SN
    

    And for completeness, if you need the server-side SSL too:

    $ . vars
    $ ./build-key-server server.test.loc
    

    And

    SSLEngine on
    SSLCertificateFile /path/to/server.test.loc.crt
    SSLCertificateKeyFile /path/to/server.test.loc.key
    

    Note that the SSLCACertificateFile CA doesn't have to have anything to do with your server CA. So if you have your own server with a cert signed by a real CA like StartSSL, the client options don't affect anything.



  • @rfc2822 I rearranged some things and can set you up with a test account. Can you contact me privately to set it up?



  • i'm running radicale caldav/carddav server (version 0.9) on an internal machine. for external users i'm providing secured access using stunnel4 service on the gateway. thus i don't have to care about the ssl stuff for all the internal services (caldav/carddav and imap/smtp as well), but only have a centralized configuration on the gateway (stunnel server). the following code shows an example for the radicale caldav/carddav serice, which runs on tcp/5232 (default):

    setuid          = stunnel4
    setgid          = stunnel4
    
    pid             = /var/run/stunnel4/stunnel4.pid
    output          = /var/log/stunnel4/stunnel4.log
    syslog          = no
    debug           = 7
    
    cert            = /etc/ssl/certs/server.pem
    CAfile          = /etc/ssl/certs/ca.pem
    CApath          = /etc/ssl/trusted/
    CRLfile         = /etc/ssl/certs/crl.pem
    verify          = 3
    
    session         = 14400
    TIMEOUTidle     = 14400
    
    libwrap = no
    
    [caldav]
    accept          = 5232
    connect         = 172.16.111.111:5232
    

    of course you can extend the configuration for any other relevant services (smtps, imaps).

    [imaps]
    accept          = 993
    connect         = 172.16.111.111:143
    
    [smtps]
    accept          = 587
    connect         = 172.16.111.111:25
    

    It's just ssl-offloading with client certificate check in addition, which is fully transparent for the back-end services.

    ca, client and server certificates and crl as well can be generated using the easy-rsa scripts provided by the openvpn communitiy (as @mmonaco mentioned above). apart from that, xca or tinyca2 may be usefull tools, if you're looking for graphical ones.

    I'm sorry not to be able to provide you a test account, but maybe the information above will help you to set it up on your site with less effort.

    best regards, bf.



  • Hi,

    are you still in the need for a test setup to integrate the SSL client certificate authentication feature in DAVdroid? We would like to see this feature for our projects, too, and would like to support the development of it.

    In our scenario, we use a self-signed root CA. There are intermediate CAs used to sign server and user certificates. The root CA cert and the user certificates are deployed to client devices. The CN stored in the user certificate is forwarded to radicale as the username (FastCGI).

    So this is not user authentication with a username and password (htpasswd method), but plain SSL client certificates. Authentication is done by the web server, not the application behind it.

    Would be cool if this feature could be implemented by using the OS credential store, so users add their PKCS12 credentials system-wide. When establishing the HTTPS connection, the server replies with a certificate request, so users would select one of the installed PKCS12 certificates and go on like normal.

    Would be glad to help out.

    Frank


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.