Disable client certificates entirely

[oddeirik]

I've recently configured Gitblit 1.8.0 with a proper, CA-signed SSL certificate. (This in itself was a bit of a pain trying to convert the certificate to a format that keytool and/or portecle could handle that also included the private key, but #1050 got me on the right track).

So now all's well, right? Well, sort of. It turns out that some users are now asked which client certificate to use when opening the web interface. We're using Skype for Business via Office 365 and it seems that the Skype client installs a self-signed client certificate on the user's computer). Chrome and IE/Edge will pop up asking whether to use this certificate or not (while Firefox/Firefox Dev will not, curiously enough) when navigating to the Gitblit web interface. This is, of course, bound to cause problems because clicking Ok/Accept on this certificate will cause the page to fail to load (net::ERR_CONNECTION_CLOSED in Chrome). Closing the dialog or hitting Cancel works, but I'd rather not have that confusing dialog there at all :)

Looking through defaults.properties, I found this:

# If serving over https (recommended) you might consider requiring clients to
# authenticate with ssl certificates.  If enabled, only https clients with the
# a valid client certificate will be able to access Gitblit.
#
# If disabled, client certificate authentication is optional and will be tried
# first before falling-back to form authentication or basic authentication.
#
# Requiring client certificates to access any of Gitblit may be too extreme,
# consider this carefully.
#
# SINCE 1.2.0
# RESTART REQUIRED
server.requireClientCertificates = false

Is there a way to entirely disable client certificates entirely and not make them optional? And why is this suddenly happening because I've used a different SSL certificate for Gitblit?

server.requireClientCertificates is of course not overridden in my own configuration gitblit.properties file.

I don't think there's an easy way to disable the client certificates in Skype for Business either, not as long as it's hosted off of Office 365 at least.

[gitblit]

No, not without hacking the server launcher. I have no idea why the Skype for Business cert confuses things.

[oddeirik]

I'm not entirely sure why Lync/Skype has to install a client certificate either, but it's not trivial to disable for us it seems.

Would it be possible to add another setting called server.wantClientCertificates, and do something like this in GitBlitServer.java?

if (params.requireClientCertificates) {
    factory.setNeedClientAuth(true);
} else {
    factory.setWantClientAuth((params.wantClientCertificates));
}

Is setting setWantClientAuth to false enough to stop it asking for any client certificates at all? If so, I can probably create a small PR that includes a new setting for this.

[gitblit]

Yes, that should disable certificate logins but you should test it first. I'm open to a PR.

[flaix]

Chrome and IE/Edge will pop up asking whether to use this certificate or not (while Firefox/Firefox Dev will not, curiously enough)

This is easily explained. Windows has a certificate store that is used by IE and also by Chrome. Firefox does not use the Windows certificate store but uses its own storage for certificates. Thus it doesn't know anything about the Skype certificate.

[oddeirik]

Ah, that does explain it. Thanks!

I've had my "fix" running on our server for about a week now, and there have been no more complaints from users about certificate popups, so I'm happy at least :)

[KOTRET]

Could this PR be pushed into any future release, please?
Users are getting the client-cert-selection dialogue to authenticate and some of them accidentally click on any cert and after that are unable to continue because gitblit does not respond properly on any request (ERR_EMPTY_RESPONSE). Reopening the browser is the only solution.

[Crydust]

Is this included in 1.9.3?

[KOTRET]

no