🔑 Use SSL Client Certificate to improve security

[Heracles31]

Expected behaviour

Option to configure a Nextcloud account to include an SSL User's Private Key and Certificate to connect to the server.

The use of an SSL Client certificate greatly improves the security. It protects the SSL connection against SSL decryptors deployed here and there and many other threats. It also improves the security in the mobile device by moving the private key to a memory space where nothing can touch it.

As a first step, it should be easy to add this as an extra option to account but still require the password or the access token. In a further release, it would be possible to use the certificate as the only authentication but that requires more effort and more config in the SSL engine facing the Nextcloud service as well as in the Nextcloud config itself to map certificates names to usernames.

Actual behaviour

To use such a client side certificate is not an option as of now

Steps to reproduce

N/A

iOS version

N/A

App version

Latest

Server configuration

N/A

Operating system:
N/A

Web server:
N/A

Database:
 N/A

PHP version:
N/A

Nextcloud version: (see Nextcloud admin page)
 N/A

[thecoindalorian]

+1
Yeah i like to have that too.

[cecom]

+1 😁

[fhoner]

+1

[renini]

This would definitely be great option to improve security

[binlab]

TLS client certificate is a powerful feature to improve security and add addition factor to it

[alexswerner]

+1 here.
I tried and added my client certificate to the ios certificate store, but this does not seem to be sufficient. After adding the certificate safari can access the server, but the Nextcloud client reports:
Connection error: The network connection was lost. Without the client certificate this setup works.

[pellaeon]

According to Apple documentation, apps have to write their own code to import SSL client certificates. It also outlines how to implement the feature. Hope to see support for this.

[boombata]

+1
Would be very nice to have this feature for IOS ( also for Android and Windows clients :) )

[tdotu]

+1

[lfdla]

+1

[aniqueta]

Came here searching for this, and so adding another vote. I know this is sadly a problem with iOS and Apple's design decision to not allow apps to access the system keychain. Appreciate any time spent on a workaround.

[binlab]

@marinofaggiana could you please look at this issue? A lot of voting for this. Since this possibility is implemented into the Desktop Nextcloud Сlient and provides a considerable enterprise level of additional security, also prevents any brute-force attacks to Nextcloud endpoint by the application level and provides protected access on the network level. Nowadays, an alternative solution for providing the same level of security is using a VPN tunnel (such as OpenVPN by certificates access), which is much less convenient on mobile devices.

[jogalt]

Ditto to this request. Multi factor Auth with trusted PKI is the only great way to bump security exponentially.

[marinofaggiana]

Hi all, I'm doing some tests in development, who wants to participate?

[jogalt]

I'm in.

[marinofaggiana]

The first point is :

• 1 you install the certificate for the host abc.com (certificate must be in DER format)
• 2 the certificate of host changes (renew or other), it's obligated to install a new certificate of it's possible trusted the new certificate with a message ?

m.

[jogalt]

Can you clarify what you're hoping to accomplish? I've previously installed a functional client certificate on my iphone and validated that it works by accessing my Nextcloud instance via safari.

I installed it by pushing the certificate with Apple Configurator in a p12 format.

On the host, I set the SSLVerifyClient (Apache2 config) to the correct depth and chose the correct CAs to validate against.

[marinofaggiana]

Hi @jogalt, yes you have installed a root certificate but I don't have any control for that, I have a control only when URLAuthenticationChallenge happens, so for that I can use a copy of certificate for compare the handshake.

What's else ?

[Heracles31]

Hi,

Of course, I am all in too :-)

Both my public and private instances use a Lets Encrypt certificate on the server side. The client side certificate is optional when connecting the public instance (cloud . jblan . org) but required for the private one (jb-cloud . jblan . org). They must be from my private CA.

You can PM me with a temporary password and I will provide you with a private key and certificate, as well as an account on my servers.

Should you need me to connect to your server for testing, just provide me the infos and access material and I will be pleased to assist you.

Thanks in advance,

[aniqueta]

I'm happy and interested to test too. Thanks!

[jogalt]

@marinofaggiana My instance is not public facing and sits behind several firewalls. I defer to @Heracles31 for additional support on this.

[binlab]

@marinofaggiana I will be glad to take part in testing this functionality. Thank you!

[matty67]

@marinofaggiana I would like to test it too.

[JensInc]

Sorry if this is already in this feature request:

In addition to a SSL-Client certificate requesting function inside nextcloud I would be interested in a function to request it for certain user groups.

Using the Registration App one is able to provide a user self registration. This is fine for internal users when Nextcloud is e.g. protected by a webserver which is requesting a SSL client certificate. But for guests this is not fine as there I want to use the Nextcloud internal invitation and not send (special) client certificates to the guests.
This functionality I cannot manage e.g. in Apache.

[SeaniedIRE]

+1 for this feature request. I was hoping cloudflare teams could protect the app but it seems cert auth is the only way to go

[escapechen]

Surprised this mtls feature still does not get the attention it deserves. It would easily reduce the attack surface on nextcloud installations by 99%.

Would happily join/support any beta test on multiple devices/servers.

[Niklasschoenb]

+1
This would really improve the security of my nextcloud server a lot and make nextcloud an option for many enterprise environments.

[igomezl]

+1. Having at least the capability to authenticate the user using a client certificate in the mobile app would be a good starting point. mTLS is being widely adopted, I wonder why Nextcloud is not following this recommendation.

[mkofahl]

+1
Prevents client platform switching to iOS.

[bambigoreng]

+1

[Torqu3Wr3nch]

+1 Would be very nice to have this feature for IOS ( also for Android and Windows clients :) )

So Windows desktop does have this. But agreed, would be nice to see this on any mobile client (besides Talk which does have it apparently). Adding Android issue for reference: nextcloud/android#603

[andreas1288]

+1 this would be a very important security enhancement

[gitwittidbit]

+1
This is the no. 1 security feature!
Is it at least on the roadmap - does anybody know? Any public communication from Nextcloud on this?

[windfail]

+1

[JonasPertschy]

+1

[leranp]

+1

[wojciszpl]

+1

[yjiang-c]

It seems that NextCloud Android App has PR and could have this feature in the next version. Definitely wish this feature in iOS version.

[gitwittidbit]

Woohoo, big step in the right direction. I would love to see this in all clients.

[ne20002]

Do we have any news on this? I really would love to see proper mTLS support on the client apps.

[r01k]

Incredible that this has not been implemented after 4 and a half years.

[WinkelB]

Perhaps a quick bump is needed for mTLS integration, as it could be the security feature to prioritize. Especially with the aim to venture further into the enterprise segment, it often serves as a decisive argument for my customers.

[edgecase14]

Here is how PHP works with TLS client certificate authentication under apache2:
Apache2 config directives:

SSLCACertificateFile my-ca-cert.pem
SSLVerifyClient require/optional
SSLVerifyDepth  10
SSLUserName SSL_CLIENT_SAN_Email_0

-or if using Active Directory-
SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0

This in turn gives PHP under apache2-mod-php a variable:
$_SERVER['REMOTE_USER']

Alternatively apache2 config:
SSLOptions +StdEnvVars
gives in PHP
$_SERVER['SSL_CLIENT_VERIFY']
and the various other SSL_ variables

[mpivchev]

This has been implemented in #2908

[marinofaggiana]

For test it:
https://testflight.apple.com/join/RXEJbWj9

[WinkelB]

I tested it and it didnt worked

btw it the same error with the previous app version

i can install and use the certificate in the ios store with the password, so this should work

thats thats the command to create the .pfx file:
winpty openssl pkcs12 -export -in client1.pem -inkey client1.key -out client1.pfx -legacy -descert

i can access the website when using safari and the certificate in the ios store

Im using cloudflare and this was the block on the WAF

[mpivchev]

@WinkelB The error you are getting does not seem related to the certificate, it seems like a permission error.

[WinkelB]

thats the blocking via the cloudflare WAF if the application isnt providing a valid certifiate

if using a valid certificate everything works

[mpivchev]

It may be because Cloudflare is using mTLS and only regular TLS seems to be supported by Alamofire

[WinkelB]

Yes, that's correct; I assume mTLS is what's being referred to as it's often mentioned here. It's quite unfortunate because mTLS is an enterprise standard. Moreover, both the website and the Windows desktop client support mTLS.

[marinofaggiana]

@mpivchev @windfail where would be the difference between mTLS Cloudflare and the mTLS (no Cloudflare) ?