evaluate what it takes to implement client certificates

[pliablepixels]

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[pliablepixels]

Requested by Brandon @brandoncasaba

[black98fxstc]

I was looking at taking this on but it looks either simple or impossible. From what I can tell changing

$http.get('some url') to $http({ method : "GET", url : "some url"; withCredentials: (using client certificate) ? true : false }} will cause the container to handle it. If not there doesn't seem to be another way without going down to the platform level. I've got the certificates working in Chrome but it's been years since I've done any JS development so I'm not tooled up.

[pliablepixels]

unfortunately withCredentails doesn't work with clientCerts.

@dimaj and I have had a discussion on this, but I just haven't found time to dive into it - been working on other higher priority issues @zmNinja and my new pet project, oZone

The proposed approach is this: 1) Start with https://github.com/zxyang/cordova-plugin-clientcertificate 2) Then modify this file: github.com/zxyang/cordova-plugin-clientcertificate/blob/master/src/android/ClientCertificate.java so that: Lines 59-61 are removed (in the onReceivedClientCertRequest method) and method execute method on line 82 would follow this example to register all installed certificates on the device (http://stackoverflow.com/questions/4458046/listing-all-installed-certificates-on-android) (this was @dimaj 's idea)

[black98fxstc]

Hmm, Doesn't choosePrivateKeyAlias do all the work for you? OK clear enough anyway and closer to home for me, if I can find the time.

[pliablepixels]

Is there a system I can try with client certs? I have some code I want to test

[brandoncasaba]

I just use Chrome these days, but this would be a quick guide to set up a test environment with Apache: http://www.garex.net/apache/

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sbcdave]

I was just looking for a way to setup zmNinja to use client certs and stumbled across this. Alternatively I have been looking for a way to have Apache only allow whitelist IPs, and to email me when a request comes in from something not on the whitelist, with a link that allows me to add them to the whitelist if I chose (so I can add my own cell phone when ever I need to). Client certs would be so much nicer though.

[dimaj]

I was recently playing with port knocking. If your goal is to secure access to your ZM server from external requests, y ou can install something like knockd and configure it to allow access to your ZM server only after a specific sequence of port connection attempts within a specific amount of time. when all rules are satisfied, you are granted access for a specific amount of time from your IP address (i.e. address where "knocking" came from)

[sbcdave]

Thanks, cool idea, but then I'd have to open more ports through my router and I'd still have to figure out a way to get zmNinja to do a complex knock sequence for me.

Dave Goldsmith Electrical Engineer - Astronics AES Data Acquisition Lead - KWH Veteran | Helicopter Pilot | Medic +1.425.268.1938 | Dave@KiloWattsforHumanity.org

On Tue, Feb 4, 2020, 1:43 PM Dmitry Jerusalimsky notifications@github.com wrote:

I was recently playing with port knocking. If your goal is to secure access to your ZM server from external requests, y ou can install something like knockd and configure it to allow access to your ZM server only after a specific sequence of port connection attempts within a specific amount of time. when all rules are satisfied, you are granted access for a specific amount of time from your IP address (i.e. address where "knocking" came from)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pliablepixels/zmNinja/issues/3?email_source=notifications&email_token=ADST3WJ5WQYJZWA3AMM56K3RBHOP5A5CNFSM4BBQH572YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZJPWY#issuecomment-582129627, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADST3WMNFWU6V3VL5EQS24DRBHOP5ANCNFSM4BBQH57Q .

[dimaj]

Well, you can open up a port range to get into your knockd server. Knocking is done outside of zmNinja. There are knocking apps for Android, I'm sure iOS will have something too.

Also, the cool thing about port knocking is that even thought you will be passing a port range through, those ports are still closed as nothing is being served on them. Your firewall software, or knockd, is going to register that a connection attempt was made to this closed port and if sequence of those attempts is correct, a new firewall rule will be added to allow your up to access the port of choosing (which is also closed to others who have not completed a secret knock sequence)

On February 4, 2020 2:23:40 PM Dave Goldsmith notifications@github.com wrote:

Thanks, cool idea, but then I'd have to open more ports through my router and I'd still have to figure out a way to get zmNinja to do a complex knock sequence for me.

Dave Goldsmith Electrical Engineer - Astronics AES Data Acquisition Lead - KWH Veteran | Helicopter Pilot | Medic +1.425.268.1938 | Dave@KiloWattsforHumanity.org

On Tue, Feb 4, 2020, 1:43 PM Dmitry Jerusalimsky notifications@github.com wrote:

I was recently playing with port knocking. If your goal is to secure access to your ZM server from external requests, y ou can install something like knockd and configure it to allow access to your ZM server only after a specific sequence of port connection attempts within a specific amount of time. when all rules are satisfied, you are granted access for a specific amount of time from your IP address (i.e. address where "knocking" came from)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pliablepixels/zmNinja/issues/3?email_source=notifications&email_token=ADST3WJ5WQYJZWA3AMM56K3RBHOP5A5CNFSM4BBQH572YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZJPWY#issuecomment-582129627, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADST3WMNFWU6V3VL5EQS24DRBHOP5ANCNFSM4BBQH57Q .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[Kilonga]

I have ZoneMinder working through a reverse proxy (nginx) and using client certificates issued by my private CA. This works well when using a browser where I can install the client certificate but zmNinja doesn't have an option to include a certificate for authentication. I think this gives a lot of extra security to the setup and would be very useful to have.