How to set up a secure webdav area on an Apache 2.0 server that can hold an Adobe Acrobat 8 shared review document

From UConn PAN
Jump to navigation Jump to search

Adobe Acrobat 8 has a new powerful feature for distributed authoring called "shared review". In a shared review, the lead author creates a draft of the document using Acrobat 8. He then posts a copy in a read-only area on a web site and sends around an email message to the other others that contains a link to the original. When the recipients of the email open the draft document in Adobe Reader 8 (only the free reader is required to do this!) it opens with instructions on how to edit their changes into the document. It also provides two sharing buttons, one to share one's own changes with fellow authors and the other to update one's copy with changes entered by others. All of this happens live, so that changes shared by one author can be concurrently imported by all other authors at the moment they are shared or any time thereafter.

Adobe talks webdav

The network communication is handled transparently by Adobe Reader using the webdav protocol. Obviously, the original author has to set that up. He does that by entering the url of a webdav area that will hold the updates. This is different from the draft document itself and need not even be on the same web server, although obviously it can be.

Having already learned how to set up a secure webdav area on an Apache 2.0 server that is mountable from windows I though that it would be easy to configure my server to host Acrobat shared reviews. How wrong I was!

Problem 1: Acrobat 8 complains that "The Shared Folder Location provided is not valid"

This problem I managed to solve, at least on the Windows version of Acrobat 8. It was complicated by the fact that the http communication is done by Acrobat behind the scenes without any way for the user to see or manage how the connection is being handled. When the connection uses ssl, how certificates are being validated and how client certificates, if any, are being selected is mysterious. I decided right away to give up on client certificates, and just try to use http basic authentication over ssl to protect my site. Even this was not easy. The reason for this was that my ssl.conf configuration for the secure portion of my web site contained the following couple of lines 

SSLVerifyClient optional
SSLVerifyDepth  10

By luck and a lot of trial and error, I discovered that commenting out these lines allowed the Acrobat 8 ssl key exchange to work with my Apache server. Unfortunately, this conflicts with another application on my web site, phpMyAdmin, which I protect using a private client certificate. Removing the SSLVerifyClient optional setting from the top-level of my site ssl configuration made the client authentication fail for phpMyAdmin, even when the SSLVerifyClient directives from the top level were moved into the phpMyAdmin directory clause. Fortunately, my server hosts multiple IP addresses, so it was easy to set up two virtual hosts and dedicate one to serving webdav for Acrobat shared reviews.

Because fellow authors rarely have client certificates that I know I can rely on, it is easier to use http basic authentication anyway, so I never tried to get client certs to work with Acrobat shared reviews. Maybe some day when pki technology becomes widespread in the scientific community, it will make sense to revisit the question.

Problem 2: Adobe Reader 8 on the Mac will not connect to my webdav server over ssl

This problem I have not yet managed to solve. Adobe Reader on Windows works fine with the exact same shared review. I spent quite a bit of time on it, trying to make it work on the Mac. I tried importing the complete chain of signer certificates directly into the cert store maintained by Adobe Reader itself, but still no success. The ssl key exchange fails during the connection process. The Apache server log shows the following entry. 

[Sun Aug 26 10:42:27 2007] [info] Connection to child 7
  established (server gryphn.phys.uconn.edu:443, client
  68.118.192.252)
[Sun Aug 26 10:42:27 2007] [info] Seeding PRNG with 136 bytes
  of entropy
[Sun Aug 26 10:42:27 2007] [error] SSL handshake failed
  (server gryphn.phys.uconn.edu:443, client 68.118.192.252)
[Sun Aug 26 10:42:27 2007] [error] SSL Library Error:
  336151576 error:14094418:SSL routines:func(148):reason(1048)

The error reason 1048 seems to indicate a problem validating the signature on the host server certificate. That is why I worked on getting Adobe Reader to recognize my signers as legitimate signing authorities. It seemed to make no difference. For now, I must resign myself to not using shared reviews because too many of my colleagues use the Mac. So far, no one out on the message boards seems to have run into this problem. When someone solves it, I will post the answer here.

Retrieved from "https://zeus.phys.uconn.edu/wiki/index.php?title=How_to_set_up_a_secure_webdav_area_on_an_Apache_2.0_server_that_can_hold_an_Adobe_Acrobat_8_shared_review_document&oldid=2479"