-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mutual TLS auth #276
Comments
On Android Files app we do support accepting self-signed certs. |
@zebardy can you reply please? |
I think what I was looking at was extending the com.owncloud.android.lib.common.OwnCloudClient similar to this https://callistaenterprise.se/blogg/teknik/2011/11/24/android-tlsssl-mutual-authentication/ and then allowing applications consuming the library to pas in their own keystore. However I'm trying to look at other ways around this. Is there an approach you would recommend? My time has been shorter than I had anticipated of late. Thanks for looking at this and taking the time to respond. |
Ah, now I get it.
As we currently do not need this, there is no plan to include it. |
If the approach sounds sensible, then it may be something to work on in a fork and submit as a PR. I was ultimately looking to support mutual TLS in the nextcloud app, and starting from the client library upwards. Supporting this in the client library would also allow for other apps or tools to make use of this. |
Hi, so I have a proof of concept working ( zebardy/nextcloud-android-library@zebardy:05edb6f6357d00a5fe1d17bed816690a8c83b741...zebardy:3325819c1de6c2b9b7105638296ef8b12cb6a0e2 ). It's not a pull request yet. It's got some hacky parts & lots of debug comments. However it works. I had to make some changes to the way that the nextcloudclient kotlin code works. OkHttpClient is not really designed to be subclassed. Doing this made things really challenging due to the private or package level classes in the OkHttp package. This made it impossible to access or set the variable I needed. So I ended up moving it away from subclassing. The associated changes to the android app are ( https://github.com/zebardy/nextcloud-android/compare/zebardy:9c83e0cea3d7d318a9a11de56bec49c1ccbb520c...zebardy:858f2ccd06d1defdc9f8bc5981c99710f96ff911?diff=unified#diff-587dc61f19cacc80fdba456dee2cfeea ). In both cases please ignore my changes to the gradle and build scripts, these are all associated with getting things running on my setup and need cleaning up. |
@tobiasKaminsky is AFK right now but can hopefully reply later today/this week. ❤️ |
Hi, Any thoughts regarding this? I think i've found a bug where the kotlin code using okhttp looses the client cert after a while. Need to figure out how to capture the exception as it happens after a period of use on my phone. Would be grateful for feedback and/or suggestions. Thanks |
Cert usage should be now back in, even with newest v2/okhttp. |
Appologies, can you expand on your reply. I'm not quite sure what you mean, so I'm probably missing some context. |
Ah. Sorry. I was misreading this. Can you provide me with a test account? |
Unfortunately it's challenging for or me to provide you with a test account on my setup at the moment. I can provide information and help for setting up your own test setup. All that is needed is an nginx reverse proxy handling the TLS infront of a nextcloud instance. The tricky bit is creating/setting up the CA and signing the server and client carts. I have some openssl commands that should allow you to generate just enough of the pki for testing. |
This would be enough, I guess :-) |
Hi, sorry this took a while. Got back from leave and COVID-19 hit. This information should be enough to generate all of the keys & certs and configure an nginx proxy with mutual TLS auth. This is laid out for a the reverse proxy listening on 443 and forwarding to a nextcloud instance listening on port 80 on the same machine. Shouldn't be too hard to create a sidecar container from this to similar for nextcloud running containerised. Hope this helps. Let me know if there is anything else that could help! DependenciesThese instructions are based upon running the commands on a Debian based linux (in my case Debian stretch). The dependencies can be installed using the command bellow:-
Cert generationCA certGenerate the CA signing key and CA cert:-
Server certFirst generate a server key:-
Generate a certificate signing request (CSR) for your server. Replace example.com with the main domain of your server. This will be create a CSR for a cert valid for all subdomains of that domain:-
Next use the CSR to generate a cert signed by the ca key:-
client certYou can now generate as many TLS client certs as you need. Replace
Nginx configFirst copy the ca certificate, server certificate and server key to a location for use with nginx
The following nginx config will setup a reverse proxy listening on port 443 and requiring a client cert to connect to. You can replace the main nginx confing in
|
Hi, is there any update or suggestions for helping to progress this? Happy to do some more work here, but think it needs an opinion and possibly some guidance for general desired direction of implementation. Thanks |
I unfortunately do not have much time for this right now. |
Hi, 3 years later and I finally have the time and headspace to pick this back up again. I've been looking through everything and have some ideas of how to implement this better. However looking at the repository README.md, the suggested approach to take is to discuss your issue/feature request with developers until it is approved before devolving (label "approved"). What would you like for me to share on this for the issue to be approved? Many thanks |
Is this being actively worked on? It would be a great addition. |
Hi, Is an update to be expected here? For several projects we have, a better integration for the use of certificates would be helpful. Maybe also simply design a plugin where you can not only simplify the setup in general, but also easily connect CA outside? |
I believe this is done per #1308 |
Hi,
I have a deployment of next cloud behind a reverse proxy which secures the connection via mutual TLS with client certs. Supporting this would require extending com.owncloud.android.lib.common.OwnCloudClient to support mutual TLS authentication and loading a keystore containing the cert to use.
The text was updated successfully, but these errors were encountered: