WebDav secured with SSL problem

pmorin · 06-20-2011, 10:50 AM

Hi !

I'm installing Liferay as a WAR on Tomcat 6 on a new Ubuntu server.
I want my portal accessible only via HTTPS, that's why I've enabled it via Apache.

My config :
Apache 2 (/etc/apache2/sites-enabled/001-https)

Code:

<VirtualHost my.domain.com:443>
        ServerAdmin admin@domain.com
        ServerName my.domain.com:443

        ErrorLog /var/log/apache2/error.log

        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        SSLCertificateFile /etc/ssl/server.crt
        SSLCertificateKeyFile /etc/ssl/server.key
        SSLCACertificatePath /etc/ssl

        SetEnvIf User-Agent ".*MSIE.*" \
                         nokeepalive ssl-unclean-shutdown \
                         downgrade-1.0 force-response-1.0

        JkMount /* worker1
</VirtualHost>

This is working great so far...

But I have a problem with WebDav (provided by Liferay).

When I try to access a Web Folder with Nautilus or via the command "sudo mount -t davfs https://my.domain.com/tunnel-web/sec...cument_library /media/webdrive/", I have an error that blocks me.
Note that when I access the WebDav share directly from Tomcat at the address "http://my.domain.com:8080/tunnel-web/secure/webdav/pit/document_library", it works fine.

The error from Nautilus is the following :

Code:

DBus error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)

The output from the command line is :

Code:

Please enter the username to authenticate with server
https://my.domain.com/tunnel-web/secure/webdav/pit/document_library or hit enter for none.
  Username: pit@domain.com
Please enter the password to authenticate user pit@domain.com with server
https://my.domain.com/tunnel-web/secure/webdav/pit/document_library or hit enter for none.
  Password:  
/sbin/mount.davfs: the server certificate is not trusted
  issuer:      Company, Paris, France, FR
  subject:     Company, Paris, France, FR
  identity:    my.domain.com
  fingerprint: 56:40:2b:26:9f:f5:51:31:96:5b:44:5a:3c:75:df:93:5c:06:1f
You only should accept this certificate, if you can
verify the fingerprint! The server might be faked
or there might be a man-in-the-middle-attack.
Accept certificate for this session? [y,N] y
/sbin/mount.davfs: Mounting failed.
Could not authenticate to server: missing parameter in Digest challenge

Can anyone help me, please ?
I found nothing on the net.

Thanks !
Pit

unSpawn · 06-20-2011, 04:59 PM

If you use basic auth maybe "sudo mount -t davfs https://login: password@domain.com/some/path /media/webdrive/" works?

pmorin · 06-21-2011, 02:33 AM

Thank you for your response.
That's too bad, it says "/sbin/mount.davfs: invalid URL".

Where do you think the problem come from ?

pmorin · 06-21-2011, 03:05 AM

OK, so it clearly seems that the problem comes from the Digest Authentication.
I've disabled digest_auth and enabled basic_auth and try again as you said with Nautilus and it worked ! \o/

So, what do you think the problem is ?

Other question : is it secure enouth to use Basic Auth when we are SSL encrypted ?

Thanks !

Pit

unSpawn · 06-21-2011, 07:42 PM

Quote:

Originally Posted by pmorin

That's too bad, it says "/sbin/mount.davfs: invalid URL". Where do you think the problem come from ?

Dunno but /etc(/dav.*)/davfs2.conf should allow for debugging options (see "Debugging Options" in 'man 5 davfs2.conf') that may shed some light on this.

Quote:

Originally Posted by pmorin

OK, so it clearly seems that the problem comes from the Digest Authentication. I've disabled digest_auth and enabled basic_auth and try again as you said with Nautilus and it worked ! \o/ So, what do you think the problem is ?

Quote:

Originally Posted by pmorin

Other question : is it secure enouth to use Basic Auth when we are SSL encrypted ?

The RFC (4918) clearly states Basic auth should only be used if the connection is secure (indeed: using SSL). It also states Digest auth should be supported, maybe there are some options in /etc(/dav.*)/secrets that could help in conjunction with debugging the output?

* Debug output ultimately should go to the maintainer (mailing list?) of DavFS at http://savannah.nongnu.org/projects/davfs2. If you post it here at least scrub client and server names slash IP addresses, obfuscate logins and any other unique identifiers and post complete transaction lines (not snippets) in (preferably) BB code.

pmorin · 06-22-2011, 02:32 AM

Thank you !
I'll try that if I have time and I'll do has you said if I find a solution. ;-)

Do you think I must tag this thread as "SOLVED", even if it's not entirely resolved ?

unSpawn · 06-22-2011, 11:54 AM

No, if it's not solved then you best don't.