ios
ios copied to clipboard
nextcloud
π Use SSL Client Certificate to improve security
Expected behaviour
Option to configure a Nextcloud account to include an SSL User's Private Key and Certificate to connect to the server.
The use of an SSL Client certificate greatly improves the security. It protects the SSL connection against SSL decryptors deployed here and there and many other threats. It also improves the security in the mobile device by moving the private key to a memory space where nothing can touch it.
As a first step, it should be easy to add this as an extra option to account but still require the password or the access token. In a further release, it would be possible to use the certificate as the only authentication but that requires more effort and more config in the SSL engine facing the Nextcloud service as well as in the Nextcloud config itself to map certificates names to usernames.
Actual behaviour
To use such a client side certificate is not an option as of now
Steps to reproduce
N/A
iOS version
N/A
App version
Latest
Server configuration
N/A
Operating system: N/A
Web server: N/A
Database: Β N/A
PHP version: N/A
Nextcloud version: (see Nextcloud admin page) Β N/A
TLS client certificate is a powerful feature to improve security and add addition factor to it
+1 here.
I tried and added my client certificate to the ios certificate store, but this does not seem to be sufficient. After adding the certificate safari can access the server, but the Nextcloud client reports:
Connection error: The network connection was lost. Without the client certificate this setup works.
According to Apple documentation, apps have to write their own code to import SSL client certificates. It also outlines how to implement the feature. Hope to see support for this.
+1 Would be very nice to have this feature for IOS ( also for Android and Windows clients :) )
Came here searching for this, and so adding another vote. I know this is sadly a problem with iOS and Apple's design decision to not allow apps to access the system keychain. Appreciate any time spent on a workaround.
@marinofaggiana could you please look at this issue? A lot of voting for this. Since this possibility is implemented into the Desktop Nextcloud Π‘lient and provides a considerable enterprise level of additional security, also prevents any brute-force attacks to Nextcloud endpoint by the application level and provides protected access on the network level. Nowadays, an alternative solution for providing the same level of security is using a VPN tunnel (such as OpenVPN by certificates access), which is much less convenient on mobile devices.
Ditto to this request. Multi factor Auth with trusted PKI is the only great way to bump security exponentially.
Hi all, I'm doing some tests in development, who wants to participate?
The first point is :
- 1 you install the certificate for the host abc.com (certificate must be in DER format)
- 2 the certificate of host changes (renew or other), it's obligated to install a new certificate of it's possible trusted the new certificate with a message ?
m.
Can you clarify what you're hoping to accomplish? I've previously installed a functional client certificate on my iphone and validated that it works by accessing my Nextcloud instance via safari.
I installed it by pushing the certificate with Apple Configurator in a p12 format.
On the host, I set the SSLVerifyClient (Apache2 config) to the correct depth and chose the correct CAs to validate against.
Hi @jogalt, yes you have installed a root certificate but I don't have any control for that, I have a control only when URLAuthenticationChallenge happens, so for that I can use a copy of certificate for compare the handshake.
What's else ?
Hi,
Of course, I am all in too :-)
Both my public and private instances use a Lets Encrypt certificate on the server side. The client side certificate is optional when connecting the public instance (cloud . jblan . org) but required for the private one (jb-cloud . jblan . org). They must be from my private CA.
You can PM me with a temporary password and I will provide you with a private key and certificate, as well as an account on my servers.
Should you need me to connect to your server for testing, just provide me the infos and access material and I will be pleased to assist you.
Thanks in advance,
@marinofaggiana My instance is not public facing and sits behind several firewalls. I defer to @Heracles31 for additional support on this.
@marinofaggiana I will be glad to take part in testing this functionality. Thank you!
Sorry if this is already in this feature request:
In addition to a SSL-Client certificate requesting function inside nextcloud I would be interested in a function to request it for certain user groups.
Using the Registration App one is able to provide a user self registration. This is fine for internal users when Nextcloud is e.g. protected by a webserver which is requesting a SSL client certificate. But for guests this is not fine as there I want to use the Nextcloud internal invitation and not send (special) client certificates to the guests.
This functionality I cannot manage e.g. in Apache.
+1 for this feature request. I was hoping cloudflare teams could protect the app but it seems cert auth is the only way to go
Surprised this mtls feature still does not get the attention it deserves. It would easily reduce the attack surface on nextcloud installations by 99%.
Would happily join/support any beta test on multiple devices/servers.
+1 This would really improve the security of my nextcloud server a lot and make nextcloud an option for many enterprise environments.
+1. Having at least the capability to authenticate the user using a client certificate in the mobile app would be a good starting point. mTLS is being widely adopted, I wonder why Nextcloud is not following this recommendation.
