tkuester
commented
3 years ago I spoke with @zeus82 regarding his pull request, and they believe this may be related to the issue.
Open tkuester opened 3 years ago
tkuester
commented
3 years ago I spoke with @zeus82 regarding his pull request, and they believe this may be related to the issue.
I am the author of taky, a small experimental Python server for ATAK. I have successfully setup SSL connections between ATAK and the server, both for the COT server (port 8089 and the "Client Certificate") and the Marti endpoints (port 8443 and the "Trust Store").
While the COT Server requires client certificates, the Marti endpoints do not. This makes it difficult to secure a public TAK server, as anyone can execute requests. (For example, an anonymous user could query for uploaded data packages.) Additionally, it makes it difficult to verify which client uploaded the files. A user can claim they are "JENNY", but without the client certificate that claim is baseless.
As an aside, it appears that ATAK and the Marti endpoints actually support indicating which client certificate uploaded the file, in MissionPackageQueryResult.java#L37
On ATAK 4.2.1.7 (b8b47239), when I require client certificates on the server side, I get an SSL error: TLSV1_ALERT_UNKNOWN_CA. This seems rather confusing, as ATAK seemed to be perfectly happy with the server certificate when there was no check for client certs. I tried installing the CA to the Android system, and that did not seem help. (Regrettably, I am not very experienced with Android, so I may have made a mistake.)
One thing I have not checked is to see if ATAK is actually sending the client certificate using
VerifyMode.CERT_OPTIONAL-- so I will try to get back to this issue with more information. If it would be helpful, I can also setup a sample server and client certificates for you to connect to, or attempt to submit a debug log.To summarize the issue: