nextcloud
Support client certificates when connecting to Nextcloud
Steps to reproduce
1.- Fresh install of Talk IOS. 2.- Put url "https://xxxx.xxxx.xxx/path/" from the Nextclout Server to do the login. (The url is really a reverse apache2 proxy to the nextcloud server), 3.- Push login button.
Expected behaviour
The screen asking for the user and password must be shown.
Actual behaviour
The url screen throws something like:
"Server Nextcloud not found.
The connection has been lost. Please, check that the url from server is correct." (It's a translation)
Device information
Device: iPhone X iOS version: ???
Talk version: v21.0.5
Server information
Nextcloud version: v28.0.10 Talk version: v18.0.12 Custom Signaling server configured: no
Custom TURN server configured: yes Custom STUN server configured: yes
Server log (data/nextcloud.log)
The "host not found" only happens with the IOS Iphone when I try to use apache2 with client certificate (Apache option: "SSLClientVerify require"). When "SSLClientVerify none" or "SSLClientVerify optional" is configured it works correctly and Server is found.
I can say that CA on my apache2 for this Client Certificates are correct because a lot of Nextcloud Talk Android Clients connects correcty when they choose the correct "client certificate" at the beginnig of the login screen.
The Iphone that fails has the "client certificate" installed on the "system keyvault of IOS". If the same iphone tries to connect with his safari browser to the same url, it works correctly. So the problem seems related to Talk IOS not serving the "client certificate", or Talk IOS and the server not communicating correctly to choose the Cipher or the transport protocol, or something like that.
For now i'm searching info like:
https://help.nextcloud.com/t/nextcloud-access-problem-on-ios-behind-reverse-proxy-iis/85343 https://github.com/nextcloud/ios/issues/768 https://help.nextcloud.com/t/nextcloud-talk-ios-app-access-forbidden-csrf-check-failed/26952 https://help.nextcloud.com/t/nextcloud-access-problem-on-ios-behind-reverse-proxy-synology/75187 https://help.nextcloud.com/t/ios-talk-app-wont-login-just-spins-eternally/99189/10 https://github.com/nextcloud/server/issues/50619 (Could be this) https://github.com/nextcloud/ios/issues/3436
Hey, thanks for the report. Currently there's no support for client certificates in Talk iOS and it is not tested against a server with client certificates enabled. So at this point in time, this is considered a feature request, not a bug.
As a side note, Nextcloud 28 is end of life, and the version you mentioned is not even the latest of the 28 cycle. I can't stress enough to use a supported version in the first place :-)
I will upgrade to the latest 28 on short time. Well, looking it from another POV, could be some people that could be interested on "Client Certificates" and has the latest Nextcloud Server and Talk Server version. Like I said Android Talk supports it.
I hope "Client Certificates" will be supported on (the short) future on Talk IOS. Do you think it will be too difficult to code ? I remember that when I was looking for the support on Android Talk Client, see the patchs for Android... I don't remember exactly if they were very large or difficult code... I hope no.
Thanks for the answer, @SystemKeeper
I will upgrade to the latest 28 on short time.
Better even to a supported version..
I hope "Client Certificates" will be supported on (the short) future on Talk IOS.
Don’t want to crush your hopes, but there’s nothing planned for this.
Do you think it will be too difficult to code ?
No idea, never looked into Client certs on iOS. Might be quick, but I can’t judge without further research.
@SystemKeeper , being client certificates, IMHO, a big improvement for security to an environment ecosystem like Nextcloud, and being already supported on Nextcloud Server, Nextcloud Talk Android Client and Nexcloud Client Android, which could be the protocol/way to try to accelerate his development for Nextcloud IOS Talk ?
With Client Certificate Support you can make an effective barrier of protection for the server without the need of other more complex systems like vpns. The Client certificate could be the really first Front Door to the control of "really trusted clients of Nextcloud".
How much will last "things with... nothing planned" ?
@SystemKeeper could be if this "https://github.com/nextcloud/ios/issues/2975" (client certificates on Nextcloud IOS) improve enought, development on client certificates on Talk ios speed up ?
There might be parts we can re-use for that, but since the files app uses a different login protocol version, we might need to support that first. So yea, possible it helps in development, but still not on our todo list, sorry. If someone else wants to take a look, happy to give some pointers if questions arise.
