Nextcloud app is the only app that does not support client certificates

[DimanNe]

⚠️ Before posting ⚠️

• This is a bug, not a question or an enhancement.
• I've searched for similar issues and didn't find a duplicate.
• I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
• I agree to follow Nextcloud's Code of Conduct.

Steps to reproduce

1. Create CA, server key/cert, client key/cert
2. Install client certificate to Android
3. Make sure your ssl proxy requires client certificates. An example for Cloudflare's pingora
4. Try connecting/logging in to the instance via the official Nextcloud app
5. Try also connecting to the instance using Browser and DavX5

Expected behaviour

Nextcloud app can connect

Actual behaviour

Nextcloud app says:

SSL initialisation failed

while all other apps (browser, davx5) allow me to choose which certificate to use

Android version

14

Device brand and model

Google Pixel 8 Pro

Stock or custom OS?

Stock

Nextcloud android app version

3.28.2

Nextcloud server version

28.0.4

Using a reverse proxy?

Yes

Android logs

         1713099616.840 26467 26467 I ImeTracker: com.nextcloud.client:83ca277f: onShown
         1713099617.843 26467 26467 I ImeTracker: com.nextcloud.client:8eb7404b: onRequestShow at ORIGIN_CLIENT_SHOW_SOFT_INPUT reason SHOW_SOFT_INPUT
         1713099617.844 26467 26467 D InputMethodManager: showSoftInput() view=com.google.android.material.textfield.TextInputEditText{ef880d5 VFED.VCL. .F.P..ID 0,0-1152,167 #7f0a026e app:id/host_url_input aid=1073741824} flags=0 reason=SHOW_SOFT_INPUT
         1713099617.857 26467 26467 D InsetsController: show(ime(), fromIme=true)
         1713099617.858 26467 26467 I ImeTracker: com.nextcloud.client:8eb7404b: onCancelled at PHASE_CLIENT_APPLY_ANIMATION
         1713099617.863 26467 26467 I AssistStructure: Flattened final assist data: 2340 bytes, containing 1 windows, 13 views
         1713099620.120 26467 26978 D ProfileInstaller: Skipping profile installation for com.nextcloud.client
         1713099631.037 26467 26467 D OperationsService: Starting command with id 1
         1713099631.041 26467 26634 D NetworkUtils: Searching known-servers store at /data/user/0/com.nextcloud.client/files/knownServers.bks
         1713099631.045 26467 26634 D OwnCloudClient #0: Creating OwnCloudClient
         1713099631.045 26467 26634 D AccountUtils: Restoring cookies for null
         1713099631.050 26467 26634 D OwnCloudClient #0: REQUEST GET /status.php
         1713099631.052 26467 26634 D AdvancedSslSocketFactory: Creating SSL Socket with remote spi**.**:443, local null:0, params: org.apache.commons.httpclient.params.HttpConnectionParams@fec5c20
         1713099631.052 26467 26634 D AdvancedSslSocketFactory:  ... with connection timeout 50000 and socket timeout 50000
         1713099631.249 26467 26634 D TrafficStats: tagSocket(122) with statsTag=0xffffffff, statsUid=-1
         1713099631.250 26467 26634 I ServerNameIndicator: SSLSocket implementation: com.google.android.gms.org.conscrypt.Java8FileDescriptorSocket
         1713099631.252 26467 26634 I ServerNameIndicator: SNI done, hostname: spi**.**
         1713099631.432 26467 26634 V NativeCrypto: Read error: ssl=0x500d93f5180f148: Failure in SSL library, usually a protocol error
         1713099631.432 26467 26634 V NativeCrypto: error:1000045c:SSL routines:OPENSSL_internal:TLSV1_ALERT_CERTIFICATE_REQUIRED (third_party/openssl/boringssl/src/ssl/tls_record.cc:592 0x300d8e96a9b4730:0x00000003)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: Connection check at https://spi**.**: SSL exception
         1713099631.438 26467 26634 E GetStatusRemoteOperation: javax.net.ssl.SSLProtocolException: Read error: ssl=0x500d93f5180f148: Failure in SSL library, usually a protocol error
         1713099631.438 26467 26634 E GetStatusRemoteOperation: error:1000045c:SSL routines:OPENSSL_internal:TLSV1_ALERT_CERTIFICATE_REQUIRED (third_party/openssl/boringssl/src/ssl/tls_record.cc:592 0x300d8e96a9b4730:0x00000003)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.google.android.gms.org.conscrypt.NativeCrypto.SSL_read(Native Method)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.google.android.gms.org.conscrypt.NativeSsl.read(:com.google.android.gms@[email protected] (190408-623887440):34)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket$SSLInputStream.read(:com.google.android.gms@[email protected] (190408-623887440):11)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at java.io.BufferedInputStream.fill(BufferedInputStream.java:239)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at java.io.BufferedInputStream.read(BufferedInputStream.java:258)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:197)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:166)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.lib.resources.status.GetStatusRemoteOperation.tryConnection(GetStatusRemoteOperation.java:89)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.lib.resources.status.GetStatusRemoteOperation.run(GetStatusRemoteOperation.java:200)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:205)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:80)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:205)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:446)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:411)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at android.os.Handler.dispatchMessage(Handler.java:107)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at android.os.Looper.loopOnce(Looper.java:232)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at android.os.Looper.loop(Looper.java:317)
         1713099631.438 26467 26634 E GetStatusRemoteOperation: 	at android.os.HandlerThread.run(HandlerThread.java:68)
         1713099631.439 26467 26634 D OperationsService: Called 1 listeners
         1713099631.439 26467 26634 D OperationsService: Stopping after command with id 1
--------- switch to events
         1713099632.446 26467 26467 I wm_on_top_resumed_lost_called: [Token=47513975,Component Name=com.owncloud.android.authentication.AuthenticatorActivity,Reason=topStateChangedWhenResumed]
--------- switch to main
         1713099634.431 26467 26467 D AuthenticatorActivity: onPause() ending
--------- switch to events
         1713099634.431 26467 26467 I wm_on_paused_called: [Token=47513975,Component Name=com.owncloud.android.authentication.AuthenticatorActivity,Reason=performPause,time=49ms]
--------- switch to main
         1713099634.806 26467 26467 D VRI[AuthenticatorActivity]: visibilityChanged oldVisibility=true newVisibility=false
         1713099634.826 26467 26467 D VRI[AuthenticatorActivity]: Not drawing due to not visible
         1713099634.828 26467 26467 D AuthenticatorActivity: onStop() ending
--------- switch to events
         1713099634.829 26467 26467 I wm_on_stop_called: [Token=47513975,Component Name=com.owncloud.android.authentication.AuthenticatorActivity,Reason=STOP_ACTIVITY_ITEM,time=0ms]
--------- switch to main
         1713099634.829 26467 26467 D AuthenticatorActivity: onSaveInstanceState(Bundle) starting
         1713099634.852 26467 26467 W WindowOnBackDispatcher: sendCancelIfRunning: isInProgress=falsecallback=ImeCallback=ImeOnBackInvokedCallback@50533548 Callback=android.window.IOnBackInvokedCallback$Stub$Proxy@92fae7c
--------- switch to events
         1713099634.875 26467 26911 I jank_cuj_events_begin_request: [CUJ Type=81,Unix Time Ns=1713099634875010s,Elapsed Time Ns=18348256429.022s,Uptime Ns=5598060867.113s,Tag=1@[email protected]]
--------- switch to main
         1713099634.877 26467 26467 I ImeTracker: com.android.settings:92ee81a1: onCancelled at PHASE_CLIENT_ANIMATION_CANCEL
         1713099634.878 26467 26467 I ImeTracker: com.nextcloud.client:4dd43ea2: onRequestHide at ORIGIN_CLIENT_HIDE_SOFT_INPUT reason HIDE_SOFT_INPUT_BY_INSETS_API
         1713099634.878 26467 26467 I ImeTracker: com.nextcloud.client:4dd43ea2: onFailed at PHASE_CLIENT_VIEW_SERVED
--------- switch to events
         1713099634.881 26467 26911 I jank_cuj_events_cancel_request: [CUJ Type=81,Unix Time Ns=1713099634881353s,Elapsed Time Ns=18348262771.47s,Uptime Time Ns=5598067209.642s]
         1713099634.881 26467 26911 I jank_cuj_events_end_request: [CUJ Type=81,Unix Time Ns=1713099634881423s,Elapsed Time Ns=18348262838.121s,Uptime Time Ns=5598067276.048s]
--------- switch to main
         1713099635.083 26467 26467 D MainApp : APP IN BACKGROUND

Server error logs

pproxy       | [2024-04-14T13:00:32.301808Z ERROR pingora_core::services::listening] Downstream handshake error  TLSHandshakeFailure context: TLS accept() failed: error:0A0000C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:ssl/statem/statem_srvr.c:3725:

Additional information

No response

[AndyScherzinger]

@DimanNe this feature is scheduled to ship with 3.29.0 ( you could test out a daily build via F-Droid) - #603

[DimanNe]

@AndyScherzinger Fabulous! Thanks!