You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd without the --trust, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:
# nextcloudcmd --non-interactive -n ~/Nextcloud https://nextcloud.lan
09-10 12:25:54:348 [ info nextcloud.sync.accessmanager ]: 2 "" "https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json" has X-Request-ID "18ff47a0-a482-4456-a489-7aa747170c58"
09-10 12:25:54:348 [ info nextcloud.sync.networkjob ]: OCC::JsonApiJob created for "https://nextcloud.lan" + "ocs/v1.php/cloud/capabilities" ""
09-10 12:25:54:545 [ info nextcloud.sync.account ]: "SSL-Errors happened for url \"https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json\" \tError in QSslCertificate(\"3\", [REDACTED] : \"The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error.
09-10 12:25:54:871 [ info nextcloud.sync.networkjob.jsonapi ]: JsonApiJob of QUrl("https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json") FINISHED WITH STATUS "OK"
Bug description
I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running
nextcloudcmd
without the--trust
, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:After adding the root CA cert to the system's trust store the validation passes and the warning goes away.
I am running the latest
nextcloud-desktop-cmd
package, version2.6.2-1build1
, on Ubuntu Server 20.04.2 LTS.I did not see this problem in the NextCloud CVE list.
Steps to reproduce
Run
nextcloudcmd
against a server that has a TLS cert that the system won't validate.Expected behavior
Abort the operation if the server's TLS cert cannot be validated, unless
--trust
is specified to explicitly override the security checks.Which files are affected by this bug
src/libsync/account.cpp
Operating system
Linux
Which version of the operating system you are running.
Ubuntu 20.04.2 LTS
Package
Distro package manager
Nextcloud Server version
24.0.3
Nextcloud Desktop Client version
2.6.2-1build1
Is this bug present after an update or on a fresh install?
Fresh desktop client install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
Are you using an external user-backend?
Nextcloud Server logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: