Certificate Check in client

Hello,
the current windows client offers to ignore errors with SSL certificate. This is nice because I have a selfsigned certificate and the servername of the system (and in the certificate) have not much to do with what dyndns tells the client.

There is one thing: I do not simply want to ignore an error I would like to display the certificate, read the details, compare to my key AND accept this one special certificate as trusted and OK.

everybody i the world could conquer my dyndns, create a man in the middle host and make my client to sync everything over it because the client takes everything that smells like SSL.

Marc

1 Like

I would recommend you to use a valid certificate : https://letsencrypt.org

1 Like

hi,
this exactly what I already started to investigate after submitting the post ;o) but thanks for hint
Nevertheless, the option itself “ignore errors” is dangerous! in a browser this would not be acceptable… firefox warns and lets you double check the exception.

afaik as soon as somone has control over the dns record he can get a valid letsencrypt certificate.

the trustmodel of ssl, as it is commonly used, is broken. the only secure way to use ssl is if you decide which cert is valid and not some 3rd party.

this would be the way to go. it would be nice if the client implemented such a feature.

1 Like

afaik as soon as somone has control over the dns record he can get a valid letsencrypt certificate.
the trustmodel of ssl, as it is commonly used, is broken. the only secure way to use ssl is if you decide which cert is valid and not some 3rd party.

That’s not true the Seafile client would complain about the new (evil) letsencrypt certificate and then you have to check the issue.

Just an example… the guy owning the dyndns service I use could be an evil one and redirect the dns to his machine, generate a new letsencrypt certificate … my client would take it and say: "yes it is valid and yes it is pointing to the correct url. My client would upload everything to this server in an instant or to my server but a copy to his disk…

The password I deliver him for free after he shows his certificate…

At the end I need to see and doublecheck a certificate to trust it one by one…

try this:

  • create a letsencrypt certificate for your seafile server.
  • run the client and check that everything is fine.
  • create a completly new letsencrypt certificate and replace the old one.
  • now see whether the client complains about the new certificate.

the client warning you about a certificate change and offering to not accept it would be a good start to increase security. sadly hardly any software does that. which means that any ca can forge a certificate for any site.

Ups, you are right, my fault - those things happens if you are used to self signed certificates for a long time :flushed:
I agree with you, a check for a updated certificates would be a very useful security option.

Mhh, I am not talking about a hard pinning… I simply want to be asked if I trust a certificate… why, how and if this is clever is not seafiles job… but I want to see the details and press " trust this certificate in future"

I see no need to add suport for manual certificates, because i also have one and it can be made secure in quife easy way. The only thing you must do is install as root certificate on your client, the one you self-signed with. Thats it, your seafile will now accept it.

certificates get renewed (a new certificate is created and signed by the ca) on a regular basis. maybe what you want is to “trust this ca to sign the certificates in the future”?
this would imo only be useful for self-signed certificates because the ca is controlled by me.

Ahh that is the point… I have not fund an option to install a certificate… I could do so …

Better would be a popup like firefox or chrome have it.

The windows seafile client seems not to have a certificate menu.

Marc

and your seafile client will also happily accept every certificate signed by any of the numerous ca installed on your system.

I am not a primary target of NSA but to be honest with SSH keys nobody would be so lazy… I have never seen a ignore server fingerprint option in the manpage… and if I connect to a server its fingerprint is presented first time ot if it returns an unexpected value.
I know people want to have it easy simple and clear but this often at the price of security or privacy.

@Dr_Marc_Arnold_Bach, Seafile relies on integrated certificate store from client. In case of Windows just install it in Chrome or Explorer or Edge(they all use Windows Certificate store). Actually just double clicking certificate should let you insert it. For this to work public-part of your self-signing certificate(the one used for signing) must be installed as root certificate.

@bbart, If you do not trust root certificates you can remove them. But than you will get red warning for any browsing on the internet… I think(not sure) that only Firefox has its own certificate store, so if you used Firefox you could maybe have different root certificates for browsing than for Seafile.

Hi,
This is close to using http alone… So i can decide to ignore every ssl error or to accept almost every certificate if the bad guy is not to stupid…

This is a technique to repell my neighbour, my mum and some scriptkids only…

CA is broken, symantec created valig google certificates…

I want to see a certificate, compare it to mine and restrict seafile exactly to this one… everything else is to report green traffic lights to CIO where nothing is secure or save.

It orovides an illusion and it only works because most people dont store important thinks in cloud. And no encrypted dolders are nrxt level not a compensation of bad ssl design.

you’re right, i do not trust them and neither should anybody else. google doesn’t trust them either 1. i experimented with removing all system certificates certificate patrol with firefox. but this resulted in many problems and i gave up and resortet to only secure the most important apps (email client, jabber, extra browser profile for banking, …).

1 Like

there are many incidents like this (diginotar, lenovo mitm adware, …) and probably many more that never went public.

I know this thread is very old… but I have to ask: Why is the seafile client depending on “trusted” CAs? And who decides which CAs to trust. The manual even states here

If you’re using self-signed certificate on the server, you should ask the client to skip verifying certificate.

In my opinion, this is dangerous or bad practice! Certificate warnings are an important feature.

I tried to import my self signed certificate ( /etc/ssl/cacert.pem ) and copied it to /usr/local/share/ca-certificates/ on my Ubuntu Desktop. Import via
$ sudo update-ca-certificates
and seahorse shows it alongside all the other “trustworthy” certificates.

Seafile Client still doesn’t accept it. Is there any way to change this - or did I miss something?!? I don’t want to check “ignore” and I don’t wan’t to use lets encrypt. Any other options?

The App (Android) supports self-signed certificates. Popup, check, done.
Still: The desktop version of seafile doesn’t sync with a self-signed certificate.

Any suggestions?