Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Make built-in DAV client work with HTTPS System
The built-in webdav support in OS X can be made to talk to https-enabled webservers by using a wrapper application called stunnel. This program can provide an SSL-encrypted connection to any remote service that is SSL-capable (such as POP3S, IMAPS, HTTPS). Download, compile and install stunnel. You do not need fink to accomplish this, simply unpack, then ./configure && make. In the src directory, a binary stunnel will be created. The examples assume that I have some files on a dav server, and I would normally access them via the url:
https://RemoteServer.com/dav/enabled/path
Save the following configuration file as stunnel.conf:
pid=/tmp/stunnel.pid
foreground=yes
setuid=nobody
setgid=nobody
client=yes
[RemoteServer1]
accept  = 7777
connect = RemoteServer.com:443
Then in the src directory, run:
sudo ./stunnel  /path/to/stunnel.conf
Once stunnel has started, go to the Finder's "Connect to Server" function. Use
http://127.0.0.1:7777/dav/enabled/path
as the server location. You can add additional entries for additional servers, by adding blocks, such as the following, to stunnel.conf:
[Server2]
accept  = 7778
connect = AnotherServer.com:443
Be sure to use different port numbers in the accept line for each service you want to connect to. You'll have the convenience of a DAV filesystem, with SSL protection.

[robg adds: This tip provides more detail than did an earlier version.]
    •    
  • Currently 2.75 / 5
  You rated: 5 / 5 (4 votes cast)
 
[24,805 views]  

Make built-in DAV client work with HTTPS | 18 comments | Create New Account
Click here to return to the 'Make built-in DAV client work with HTTPS' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Make built-in DAV client work with HTTPS
Authored by: JakBeatZ on Mar 11, '04 11:28:56AM

An easier way would be to just use ssh and do ssh tunnels. ssh is installed by default on all OS X clients 10.2+ via terminal and most machines should support sshd (except Windows).

I have tried, but haven't been able to get it working. Wonder if anyone else has given it a whirl.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: rabblerouser on Mar 11, '04 01:11:03PM
SSH tunnels certainly work. Just make sure that you're not forward a local port to the https (443) port on the webdav server - you don't need to talk https because you're already tunneling over a secured connection.

the command would be something like this: ssh -L 8080:localhost:80 remote.server.name

Then just connect to http://localhost:8080/whateverdirectory/ and your webdav connection will be tunneled over the ssh connection you just established.

Once this is working, you can set up auto-login with authorized keys and then create a shell script containing the ssh command from above.

If you want to get really fancy, you could have that script launch at startup/login, and if you're using a laptop, use one of the network (re)connection utilities to restart the script if/when your network connection is interrupted.

[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: kevinv on Mar 12, '04 09:45:49AM

the downside to ssh tunnels is you have to have ssh running on the server side. Not everyone has control over the server to be able to ensure that.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: rasputnik on Oct 11, '04 07:52:36AM

You'd need accounts on the server for that to work.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: bostonmacosx on Mar 11, '04 01:29:42PM

Speculation:
Wouldn't it be nice to recompile the finder and davfs with SSL support. EVERYTHING seems to have SSL support except for the finder in OS X.
I would put money on that this is just a switch which apple has left unchecked to increase the performance of the finder.

In addition there are problems with many other third party WebDAV solutions such as sharemation because instead of using the WEBDav trash apple wants all trashed items in the local .trash file which causes issues.

Authentication cookies for webdav would be nice also.

WHEW.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: omnivector on Mar 11, '04 01:57:53PM

i agree completly. the finder NEEDS read/write ftp, sftp, and http/https webdav support. the fact that it doesn't do all this is stupid since they have the code to make it possible.

---
- Tristan



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: nl3vs on Mar 12, '04 12:19:35AM

Yeah, everything does seem to have ssl support. Too bad its not all that secure. I like the ssh2 idea.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: bhines on Mar 12, '04 02:15:31AM
Another option: Use 'cadaver', which is available in Fink.

fink install cadaver-ssl

Supports ssl out of the box. Works great with idisk.

[ Reply to This | # ]

THIS IS NOT SECURE.
Authored by: verbal on Mar 12, '04 06:30:46AM

Note that this is not at all secure. Sure, you get encryption, but what good is this encryption if there is no authentication taking place? None. Stunnel does not properly validate certificates if it even makes any attempt at validation at all (the examples in this hint do not enable any validation, and validation is not enabled by default). In other words, Stunnel will happily accept any certificate presented to it.

If this is an acceptable risk to you, great! Just don't expect that this is going to behave the same way as connecting to a secure site via https with a browser. A man-in-the-middle attack on SSL is trivial when no certificate validation is being performed.

SSL is a fine protocol as long as it is used properly. The problem is that it is rarely used properly, and garbage like Stunnel only serves to promote its misuse.



[ Reply to This | # ]
THIS IS NOT SECURE.
Authored by: kevinv on Mar 12, '04 10:17:26AM

For stunnel 3.x you can fix this by launching stunnel with:

sudo ./stunnel -v 2 /path/to/stunnel.conf

or

sudo ./stunnel -v 3 /path/to/stunnel.conf

the first (-v 2) causes Stunnel to require and verify certificates for every SSL connection. If no certificate or an invalid certificate is presented, then it will drop the connection.

The second causes Stunnel to only accept certificates listed in it's trusted directory (usually /usr/local/ssl/certs/trusted)

You can also, at compile time, for a minimum setting for the -v options (the default is the insecure -v 0)

For Stunnel 4.x you can put the verify level in the config file:
verify = 2
verify = 3



[ Reply to This | # ]
THIS IS NOT SECURE.
Authored by: verbal on Mar 12, '04 02:17:36PM

It still does not do proper certificate validation even with these options set. It will perform the basic set of validation checks (make sure the cert is not expired, CRL checking, etc.); however, it will not do hostname verification checks, so you can still be man-in-the-middled. You are also responsible for obtaining the appropriate CRLs yourself and telling stunnel where to find them.



[ Reply to This | # ]
THIS IS NOT SECURE.
Authored by: paulsomm on Apr 02, '05 05:33:01PM

Its still better than everything going cleartext.

The problem posts decrying "this is not secure" is that it is MORE secure than nothing. Sure, it can be man-in-the-middled. And, sure, if you're on a cable modem or school network it's likely someone will try. But it's still much better than no encryption at all.

I applaud those trying to use even marginal security, since most people just don't care or don't have a clue how to try. I think the real "fix" here is for the vendors and standards organizations to start taking security much more seriously and start pushing to include secured technologies by default, not as options.

If you're truly so paranoid that SSL'ing your connection still frightens you, I don't think you want to be keeping your documents on a publically accessible server anyway.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: chanezon on May 12, '04 12:33:04PM

I tried a ssh tunnel to my server on port 80, and it worked with Goliath, but not in Finder
I thought it did not work with Finder because I use localhost:8000 and Finder seems to forget the port number part.
I then mapped it to port 80 on localhost but then I can see it in the browser but even Goliath does not work.
All this is not very mature yet !



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: liyanage on Jun 16, '04 11:22:49AM

I think this will break as soon as you try to rename files. The server will freak out because it sees a mismatch in the URL scheme (https/http) and/or port number.



[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: rasputnik on Oct 11, '04 07:55:17AM

It does :)

The only fix that springs to mind is to forward local
port 443 and mess with your hosts file to fool the Finder into
thinking its running on the server.

Haven't managed to get that working yet, though...



[ Reply to This | # ]
COPY and MOVE are broken
Authored by: rasputnik on Oct 12, '04 09:34:31AM

Because the destination field is a fully-qualified url.
the protocol and host don't match those on the server.

It's fixable by

a) adding a ServerAlias of 'localhost' to the server

AND

b) patching util.c to ignore the protocol sent in the

Desination: header

(this is for apache 2.0.52)


-----------------------------------------------------

--- modules/dav/main/util.c.orig Mon Oct 11 16:23:29 2004
+++ modules/dav/main/util.c Tue Oct 12 13:59:56 2004
@@ -175,6 +175,9 @@
return result;
}

+ /* force the scheme to be ssl */
+ comp.scheme = "https";
+
/* the URI must be an absoluteURI (WEBDAV S9.3) */
if (comp.scheme == NULL && must_be_absolute) {
result.err.status = HTTP_BAD_REQUEST;
-------------------------------------------------------------------------------------






[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: oliverbock on Aug 28, '04 04:57:48AM
To get stunnel to start automatically when your Mac starts:
$ sudo mkdir /Library/StartupItems/stunnel
$ sudo cp stunnel-download-dir/tools/stunnel.init /Library/StartupItems/stunnel/stunnel
$ sudo chmod 755 /Library/StartupItems/stunnel/stunnel
Edit the /Library/StartupItems/stunnel/stunnel and change
$DAEMON || echo -n " failed"
to
$DAEMON /path/to/stunnel.conf || echo -n " failed"
As root, save this text into /Library/StartupItems/stunnel/StartupParameters.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Description</key>
        <string>stunnel</string>
        <key>OrderPreference</key>
        <string>None</string>
        <key>Provides</key>
        <array>
                <string>stunnel</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Network</string>
                <string>Resolver</string>
        </array>
        </dict>
</plist>
I got my information on StartupItems from http://developer.apple.com/documentation/MacOSX/Conceptual/BPSystemStartup/Tasks/CreatingStartupItems.html

[ Reply to This | # ]
Make built-in DAV client work with HTTPS
Authored by: legacyb4 on Sep 23, '04 10:46:55PM
Goliath 1.01 works fine connecting my Mac (10.3.5) to an IIS 5.0-powered WebDAV server running SSL.

Prompts me if I want to accept the internally generated certificate and performance is quite good.

[ Reply to This | # ]