ios icon indicating copy to clipboard operation
ios copied to clipboard
verified publisher icon nextcloud

iOS app is nagging with popup when server is configured for optional mtls / client certificate

Open ne20002 opened this issue 1 year ago • 4 comments

Steps to reproduce

I have a Nginx reverse proxy in front of my Nextcloud server. I've set up the server to support optional mTLS / client certificates where those are signed by my own CA.

The iOS app is now nagging me with reoccurring popup stating the server certificate has changed. Which indeed does not have changed.

This is the Nginx setup:

    ssl_certificate         /etc/letsencrypt/live/<myserver>/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/<myserver>/privkey.pem;

    ssl_stapling            off;

    ssl_client_certificate  /etc/nginx/client_certs/clientCertsCA-chain.pem;
    ssl_verify_client       optional_no_ca;
    ssl_verify_depth        1;

The server's certificate is a valid LetEncrypt certificate. The clientCertsCA-chain.pem is the root certificate of my own CA with which the client certificates are signed.

Expected behaviour

As long as I have not added a client certificate to the iOS app / device, nothing particularily should happen. The app should not show any error popups.

Actual behaviour

Any few minutes or on actions in the app like update or download of a file, the following popup appears:

grafik

Actually, the Android client behaves as before as well as the Linux client and all Dav clients. Adding a client certificate to Firefox also works as expected (without any error using the cleint certificate for authentication against the server).

I have rechecked by temporarily disabling the client certificate verification (popups does not appear then).

iOS version: e.g. latest iOS on iPhone 8

Nextcloud iOS app version: Nextcloud-iOS/5.2.6

Server operating system: Debian Bookworm

Web server: Nginx

Database:

PHP version:

Nextcloud version: 28.0.5

ne20002 avatar Apr 27 '24 16:04 ne20002

@ne20002 implemented. Please test version in Testflight

marinofaggiana avatar Jun 25 '24 06:06 marinofaggiana

Thank you for the resonse. Unfortunately I don't have access to testflight. The issue has been reported by a user using iOS. But I'm sure your fix will be ok.

ne20002 avatar Jul 20 '24 19:07 ne20002

It seems as if with 5.5.2 the problem is solved. The nagging disapeared. I need to verify that the optional client certificate is used though when given.

ne20002 avatar Aug 07 '24 14:08 ne20002

Hi @ne20002 ,

Did you have time to check if the optional client certificate was used when given?

ctgvt avatar Oct 08 '24 00:10 ctgvt