[1.8.0] SSL Handshake Failed - OSX 10.10.3 Security Update 2015-004

[razyr]

I just ran the 2015-004 security update (released yesterday) for OSX Yosemite (10.10.3).

After the mandatory reboot I'm getting SSL errors from the OwnCloud client 1.8.0. It is connecting to OC 8.0.2.

I have tested two different servers. Both servers are using RapidSSL certificates from GeoTrust. I tested both servers using the tools from GeoTrust and have confirmed that the certificates are properly installed, chains are intact, etc...

Here is the error dialog from the client. The same dialog appears on boot when the client auto-starts or if you try to alter the account settings.

Trying the second server yields the same basic error but it complains about a different cert.

The release notes for the security update indicate that "The certificate trust policy was updated."

I have reported this to the GeoTrust support team as well.

I tested Safari, Chrome and Firefox from the same computer after the update and none of the browsers are having any problem with accessing the web interface via SSL.

[tobias-grasse]

Having this problem as well on two machines running OSX 10.10.3 with OC Desktop Client 1.8.0 (build 2139), but connecting to an OC 7.0.4 installation.

Also using a GeoTrust certificate.

[danimo]

I can't reproduce this with my certs. If you don't mind, please send me the URLs to your instances (danimo AT owncloud.com). I won't need an account, the URL is sufficient.

[razyr]

URLs sent as requested.

[danimo]

Seems to be a general Qt issue: https://bugreports.qt.io/browse/QTBUG-45487. Will investigate there.

[razyr]

Both of our OwnCloud servers are working correctly now. The problem appeared to be with an older intermediate SSL certificate which the latest Apple security update removed from the trust list. It was not needed. Simplifying our cert chain resolved the problem.

[danimo]

@razyr Please remove the GeoTrust Global CA intermediate from the certificate chain sent by your webserver. It is no longer needed since browsers have its successor certificate directly in the CA store. However providing this (obsolete) one will make the Client jump to a "wrong" conclusion. (which may also be true for other user agends, depending on how they validate certificates, see my explanation in https://bugreports.qt.io/browse/QTBUG-45487.

In Qt we are looking at long term solution to more resilience, which the desktop client is going to benefit from as well. Since providing a fix is out of scope for the client itself, and there is a workaround, I will close this issue now.