I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd without the --trust, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:
# nextcloudcmd --non-interactive -n ~/Nextcloud https://nextcloud.lan
09-10 12:25:54:348 [ info nextcloud.sync.accessmanager ]: 2 "" "https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json" has X-Request-ID "18ff47a0-a482-4456-a489-7aa747170c58"
09-10 12:25:54:348 [ info nextcloud.sync.networkjob ]: OCC::JsonApiJob created for "https://nextcloud.lan" + "ocs/v1.php/cloud/capabilities" ""
09-10 12:25:54:545 [ info nextcloud.sync.account ]: "SSL-Errors happened for url \"https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json\" \tError in QSslCertificate(\"3\", [REDACTED] : \"The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error.
09-10 12:25:54:871 [ info nextcloud.sync.networkjob.jsonapi ]: JsonApiJob of QUrl("https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json") FINISHED WITH STATUS "OK"
Bug description
I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running
nextcloudcmdwithout the--trust, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:After adding the root CA cert to the system's trust store the validation passes and the warning goes away.
I am running the latest
nextcloud-desktop-cmdpackage, version2.6.2-1build1, on Ubuntu Server 20.04.2 LTS.I did not see this problem in the NextCloud CVE list.
Steps to reproduce
Run
nextcloudcmdagainst a server that has a TLS cert that the system won't validate.Expected behavior
Abort the operation if the server's TLS cert cannot be validated, unless
--trustis specified to explicitly override the security checks.Which files are affected by this bug
src/libsync/account.cpp
Operating system
Linux
Which version of the operating system you are running.
Ubuntu 20.04.2 LTS
Package
Distro package manager
Nextcloud Server version
24.0.3
Nextcloud Desktop Client version
2.6.2-1build1
Is this bug present after an update or on a fresh install?
Fresh desktop client install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
Are you using an external user-backend?
Nextcloud Server logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: