-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🔑 Support for client certificates #603
Comments
Hello mlsxlist, if this is of any use to the case, there is an open issue about this over at the owncloud github site: Best wishes |
Okay thanks! In some way this also enhances security. ;) |
@tobiasKaminsky let me think about it, and I'll come back to you - we need to focus on fixing current issues first to make the app (more) usable than it is now - thought definitely this is something we want to do in the future. |
I would also very much like to see this, because it protects from potential issues with the login page as well as weak passwords and password guessing attacks. |
Any news on this ? This is a very important enhancement ! |
@mario let me know if you still need a test setup with client certificates enabled. In the meantime I will try to look into this (I haven't worked on android apps yet, but I can find my way around in php/java/python so I will give it a try) |
@AndreasMettlen yes I do. Send me the required cert + url, server and pass to [email protected] :) |
@mario Did you have a chance yet to look into this ? |
@mario Did the second certificate and the talk app help you in making progress on this issue ? |
@AndreasMettlen I implemented the initial support for client cert in Talk app. Now I need to validate it works which is why I asked for the second one. I'll try to do that on Friday. If it works, I can see how easy/hard it is to put it into the Files (this) app. |
Hi, AuthenticatorActivity
Then it uses the cert to initialize the SslSocketFactory: NetworkUtils (nextcloud-android-library)
That's a big paste-up of various articles and posts that I've read to try to solve the problem... unfortunately I can't remember all of them: Hope it helps. |
@mbrescia feel free to start a patch, and I can help? In the mean time, maybe you can try Nextcloud Talk v1.2.0beta? Same for you @AndreasMettlen ^_^ |
Hello @mario I have android 8.1.0 |
@ClCfe can you file a bug here, preferably with stacktrace? |
@mbrescia |
@proton2b |
@mbrescia |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This change adds support for configurations where the webserver requests a client certificate, e.g. via nginx configuration options ssl_client_certificate and ssl_verify_client. The client certificate handling is done via InteractiveKeyManager which prompts for a client certificate from a file or the devices keystore. This change is NOT about client certificate authentication to the nextcloud server instance. The regular authentication mechanisms will be used as soon as the communication on TLS level is established. The change addresses ticket nextcloud#603, while not being a generic solution IMO.
@stephanritscher - Thanks it worked - well worth the APK compilation time!!! The selection UI should really not been seen as a blocker if we consider the security value brought by this feature. @mario Is there anyway to bring this to at least the 'dev' version? |
If you want to help us integrating this feature, then please create a PR both on this app and on library, so we can review and discuss it. |
Initial registration fails to me too (after workaround and registering, connects fine). was able to investigate a little bit: tried to dig further (logcat) and this seems as possible code place: android-library/library/src/main/java/com/owncloud/android/lib/resources/user/GetUserInfoRemoteOperation.java public RemoteOperationResult run(NextcloudClient client) {
|
Looks like we have multiple commits from Stephan (thank you, by the way). @stephanritscher can you please issue a PR so we can get this implemented in the official Nextcloud Android client? It sounds like @tobiasKaminsky is onboard. I can't think of a more vitally significant piece of development for the Nextcloud community. Security of a file storage/synchronization platform is always highest priority. Thank you again for your work. |
This change adds support for configurations where the webserver requests a client certificate, e.g. via nginx configuration options ssl_client_certificate and ssl_verify_client. The client certificate handling is done via InteractiveKeyManager which prompts for a client certificate from a file or the devices keystore. This change is NOT about client certificate authentication to the nextcloud server instance. The regular authentication mechanisms will be used as soon as the communication on TLS level is established. The change addresses ticket nextcloud#603, while not being a generic solution IMO.
I rebased my repos and created PRs nextcloud/android-library#1005 and #11099 to start the discussion. I guess it might need some changes, but let's see. Sorry, but I might not be able to respond/incorporate changes quickly due too lack of time. |
@AlvaroBrey in #11099 it was mentioned that there was an internal consensus, Just for reference major open source application in the IoT world has used similar method: |
As outlined in my original comment in 11099, we're just not comfortable using a third-party library for this purpose. It should all (logic, state and UI) be contained in our app or our library. Additionally it would be great if the solution could somewhat be aligned to the one Talk already uses, in hopes of a future reuse between apps. If you want to contribute but are unsure of the approach, feel free to open a draft PR and ping me, so I can guide you during the development and not just at the end of it :) |
Any news on the topic? Still not implemented but would be awesome to have! |
Done with Huge thanks to @Elv1zz who did 99,95% of the work 🎉 |
Any plan on adding it to release? |
It's planned to ship it with the next feature release 3.29 - scheduled for 24th April |
Actual behaviour
In order to secure Nextcloud on TLS level, it would be good if the app could support client certificates. If the client certificate is not sent on handshake, the server prevents access to Nextcloud logon page. This would provide a second line of defense.
Expected behaviour
Nextcloud app should support client certificates as other apps like caldav sync and carddav sync already do.
The text was updated successfully, but these errors were encountered: