Closed mcmikemn closed 3 months ago
I dont understand why steps 2,3,4 need to happen. You should just need to do step 1 and in config allow the cert name.
Hmm it sounded like it wants to register the cert in the webapp itself? That wont work then, because its not transparent. You need to be able to register the cert in the client only, without needing to configure ttrss server.
Anyway, it looks good the way it is.
I dont understand why steps 2,3,4 need to happen. You should just need to do step 1 and in config allow the cert name.
You're most likely correct. Step-ca and mTLS is still a bit confusing to me.
I just realized that the TTRSS app itself may not need to know anything about the mTLS certs. I might be able to install the .p12 from step 1 into Android and make sure TTRSS_MTLS_AUTHORIZED_CERTS=<client cert for my laptop>,<client cert for my android>
, and that might be all it takes.
Thats what I'm thinking, this should be all you need. If not open another issue.
Added mTLS to TTRSS and it works fine if you use TTRSS from its web UI. But if you use a client app (e.g., the official Tiny Tiny RSS for Android, or third party Android apps like TTRSS-Reader, Tiny Tiny Feed, Geekttrss), the client app can't connect to the TTRSS Server.
TTRSS does support SSL cert auth, but if that's going to allow client apps to access the TTRSS server via mTLS, installation of TTRSS might need to be something like:
d make step-ca cert
to create the cert you want your android app to used make ttrss config
would ask which cert instep-ca/certs
you want to used make ttrss install
would build container withDockerfile
:sudo update-ca-certificates
in web-nginx containerd make ttrss install
would shred the selected cert files (or maybe ask user first)d make ttrss open
and in TTRSS UI, go to Preferences and scroll to the bottom; under "Login with an SSL certificate" the "Register" button should now be available - click it, then Save configuration.This PR is probably worth merging as-is, in case someone wants to use TTRSS strictly from its web UI and wants mTLS. But I don't think it's worth the effort of making mTLS work with TTRSS client apps. The official app has support for HTTP Basic Auth.