Merge pull request #3924 from nextcloud/feature/request-ocsp-data-for-peer-certificates

Request OCSP data for peer certificates
2024-11-25 22:46:04 +03:00 · 2021-10-27 10:36:10 +03:00 · 2021-10-27 10:36:10 +03:00 · acd8553be9
commit acd8553be9
parent f760d610e9 db4e54025a
6 changed files with 56 additions and 0 deletions
--- a/NEXTCLOUD.cmake
+++ b/NEXTCLOUD.cmake
@ -11,6 +11,8 @@ set( APPLICATION_SERVER_URL "" CACHE STRING "URL for the server to use. If enter
 set( APPLICATION_SERVER_URL_ENFORCE ON ) # If set and APPLICATION_SERVER_URL is defined, the server can only connect to the pre-defined URL
 set( APPLICATION_REV_DOMAIN "com.nextcloud.desktopclient" )
 set( APPLICATION_VIRTUALFILE_SUFFIX "nextcloud" CACHE STRING "Virtual file suffix (not including the .)")
+set( APPLICATION_OCSP_STAPLING_ENABLED OFF )
+set( APPLICATION_FORBID_BAD_SSL OFF )

 set( LINUX_PACKAGE_SHORTNAME "nextcloud" )
 set( LINUX_APPLICATION_ID "${APPLICATION_REV_DOMAIN}.${LINUX_PACKAGE_SHORTNAME}")
--- a/config.h.in
+++ b/config.h.in
@ -29,6 +29,8 @@
 #cmakedefine APPLICATION_WIZARD_HEADER_TITLE_COLOR "@APPLICATION_WIZARD_HEADER_TITLE_COLOR@"
 #cmakedefine APPLICATION_WIZARD_USE_CUSTOM_LOGO "@APPLICATION_WIZARD_USE_CUSTOM_LOGO@"
 #cmakedefine APPLICATION_VIRTUALFILE_SUFFIX "@APPLICATION_VIRTUALFILE_SUFFIX@"
+#cmakedefine APPLICATION_OCSP_STAPLING_ENABLED "@APPLICATION_OCSP_STAPLING_ENABLED@"
+#cmakedefine APPLICATION_FORBID_BAD_SSL "@APPLICATION_FORBID_BAD_SSL@"
 #define APPLICATION_DOTVIRTUALFILE_SUFFIX "." APPLICATION_VIRTUALFILE_SUFFIX

 #cmakedefine ZLIB_FOUND @ZLIB_FOUND@
--- a/src/gui/sslerrordialog.cpp
+++ b/src/gui/sslerrordialog.cpp
@ -13,6 +13,7 @@
 */
 #include "configfile.h"
 #include "sslerrordialog.h"
+#include "theme.h"

 #include <QtGui>
 #include <QtNetwork>
@ -68,6 +69,8 @@ SslErrorDialog::SslErrorDialog(AccountPtr account, QWidget *parent)
    QPushButton *cancelButton =
        _ui->_dialogButtonBox->button(QDialogButtonBox::Cancel);
    okButton->setEnabled(false);
+
+    _ui->_cbTrustConnect->setEnabled(!Theme::instance()->forbidBadSSL());
    connect(_ui->_cbTrustConnect, &QAbstractButton::clicked,
        okButton, &QWidget::setEnabled);

@ -105,6 +108,8 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)

    QStringList errorStrings;

+    QStringList additionalErrorStrings;
+
    QList<QSslCertificate> trustedCerts = _account->approvedCerts();

    for (int i = 0; i < errors.count(); ++i) {
@ -115,6 +120,8 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
        errorStrings += error.errorString();
        if (!error.certificate().isNull()) {
            _unknownCerts.append(error.certificate());
+        } else {
+            additionalErrorStrings.append(error.errorString());
        }
    }

@ -146,6 +153,17 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
            msg += QL("<hr/>");
        }
    }
+
+    if (!additionalErrorStrings.isEmpty()) {
+        msg += QL("<h4>") + tr("Additional errors:") + QL("</h4>");
+
+        for (const auto &errorString : additionalErrorStrings) {
+            msg += QL("<div id=\"ca_error\">");
+            msg += QL("<p>") + errorString + QL("</p>");
+            msg += QL("</div>");
+        }
+    }
+
    msg += QL("</div></body></html>");

    auto *doc = new QTextDocument(nullptr);
--- a/src/libsync/account.cpp
+++ b/src/libsync/account.cpp
@ -389,6 +389,8 @@ QSslConfiguration Account::getOrCreateSslConfig()
    sslConfig.setSslOption(QSsl::SslOptionDisableSessionSharing, false);
    sslConfig.setSslOption(QSsl::SslOptionDisableSessionPersistence, false);

+    sslConfig.setOcspStaplingEnabled(Theme::instance()->enableStaplingOCSP());
+
    return sslConfig;
 }

--- a/src/libsync/theme.cpp
+++ b/src/libsync/theme.cpp
@ -399,6 +399,24 @@ bool Theme::forceOverrideServerUrl() const
 #endif
 }

+bool Theme::enableStaplingOCSP() const
+{
+#ifdef APPLICATION_OCSP_STAPLING_ENABLED
+    return true;
+#else
+    return false;
+#endif
+}
+
+bool Theme::forbidBadSSL() const
+{
+#ifdef APPLICATION_FORBID_BAD_SSL
+    return true;
+#else
+    return false;
+#endif
+}
+
 QString Theme::forceConfigAuthType() const
 {
    return QString();
--- a/src/libsync/theme.h
+++ b/src/libsync/theme.h
@ -239,6 +239,20 @@ public:
     * When true, the respective UI controls will be disabled
     */
    virtual bool forceOverrideServerUrl() const;
+    
+    /**
+     * Enable OCSP stapling for SSL handshakes
+     *
+     * When true, peer will be requested for Online Certificate Status Protocol response
+     */
+    virtual bool enableStaplingOCSP() const;
+
+    /**
+     * Enforce SSL validity
+     *
+     * When true, trusting the untrusted certificate is not allowed
+     */
+    virtual bool forbidBadSSL() const;

    /**
     * This is only usefull when previous version had a different overrideServerUrl