webdav mounting with client certificates

Question

webdav mounting with client certificates

I just went through all the trouble of setting up secure WebDAV over https. I did, this being a huge fan of OS X's current WebDAV support, thinking I could make things a lot sleaker.

So I got it all setup on the server end. https is only responding, and finder was still mounting correctly, and both safari and firefox were able to see it.

Then I removed authentication on the server, set SSLRequire On and SSLVerifyClient require, focing all https clients to send a client key or be denied.

After setting this up I tested in firefox. Initially firefox just returned a blank page. I then proceeded to import the client key I generated in to firefox, and it worked! Flawlessly. With the key I was in, without, I got nothing. Perfect.

I then imported this key in to Keychain, anxious to try out mounting WebDAV securely with no password. Unfortunately it didn't work. The errors in the apache logs are exactly the same as when firefox did not have my key imported.

I then tried Safari, and safari however immediately asked if I wanted to use my login keychain, sent my client certificate, and allowed me in to my secure dav server.

So Safari was smart enough to find the key, but finder wasn't? What can I do to get Finder to see this key when it tries to mount my WebDAV.

MacBook Pro Mac OS X (10.4.6)

MacBook Pro Mac OS X (10.4.6)

Posted on Apr 9, 2006 5:56 PM

Reply

Answer 1

Apr 10, 2006 7:28 AM in response to johncappiello

argh. To make me feel worse about this, windows, explorer et al, works perfectly. Installed the client certificate in Windows, and when I try to mount the secure WebDAV, explorer tells me it's asking for a user, and then offers me the certificate I just installed, which works and then proceeds to securely mount my WebDAV.

Reply

Answer 2

Apr 11, 2006 8:40 AM in response to johncappiello

So I spent a few hours last night trying to use the command line utility "mount_webdav" which I'm pretty sure is all finder uses.

However again I received the same errors in my apache logs, indicating the client (mount_webdav) was not trying to supply a client cert, nor did mount_webdav ask me for one, or look in keychain.

I tried piping my cert in to it something like this:
cat cert.p12 | mount_webdav -a0 https://davserver/ davmount

but had no luck. I got this idea from a few blog posts about piping in a password file to automount iDisk, and things of that sort.

Any ideas? Is it possible I could upgrade my davlib such that it would support client certificates?

MacBook Pro Mac OS X (10.4.6)

Reply

Answer 3

Jun 23, 2006 5:20 AM in response to johncappiello

I would just like to add my voice to this discussion, I have had exactly the same problem with my WebDAV server.

Turning client authentication on stops me mounting the folder using Finder, but not reading files using Safari.

Experience with other operating systems has been more positive Konqueror works flawlessly in Linux, IE works in windows, but I cannot get Finder to use mutual authentication.

Does Finder actually support mutual authentication over https?

If not, I think it is time to make a feature request to Apple.

Reply

Answer 4

Jun 23, 2006 8:53 AM in response to davidpower

I just wanted to let you know that I have not found a solution to this yet. As far as I can tell, Finder is just dumb and does not support keychain lookups, at least for webdav.

For now I've had to resort to turning password authentication back on, and just for Finder, using said password.

Mac OS X (10.4.6)

Reply