From 0f464658cc6aef34d27611a09cb743c576fdc848 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 19 Jan 2022 19:10:43 +0100 Subject: [PATCH] [WebAuthn] disable webauthn rootca by mailcow.conf --- data/web/inc/prerequisites.inc.php | 5 +++-- docker-compose.yml | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index a5f9f9148..2cf71bd89 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -62,8 +62,9 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider); // FIDO2 $formats = $GLOBALS['FIDO2_FORMATS']; $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats); -// only include root ca's when dev mode is false, to support testing with chromiums virutal authenticator -if (!$DEV_MODE){ +// only include root ca's when needed +$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y'); +if (!$WEBAUTHN_DISABLE_ROOTCA){ $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem'); $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem'); $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem'); diff --git a/docker-compose.yml b/docker-compose.yml index 20d182c24..6e0a6ed73 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -157,6 +157,7 @@ services: - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n} - MASTER=${MASTER:-y} - DEV_MODE=${DEV_MODE:-n} + - WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n} restart: always networks: mailcow-network: