Android mobile app can't connect to https using client certs

[stephankellermayr]

Describe the bug To push the common problems with self signed certificates a step further, it is not possible to use self signed client certificates for device-specific authentication. A certificate of a CA can be imported/trusted if you have root access to the android device, and if you do that, the jellyfin-app accept those HTTPS-connections without any problems as other apps do.

But if you use a self signed client certificate (issued and signed by the same CA) the jellyfin-app refuse to connect without any further information. Other apps asks for the client certificate password and connect exactly as expected.

In this specific situation i want to allow only specific devices to connect to jellyfin to improve overall security. Jellyfin runs on a raspberry4 in the local network, which allows unencrypted connections inside this network. To allow connections from outside, another webserver with nginx operates as a proxy. Connections from the internet are only available through HTTPS, and connecting devices should be authenticated by a client certificate.

To Reproduce

1. Copy your own CA to /system/etc/security/cacerts/ to allow secure connections
2. Import a self signed client certificate in PFX-format
3. Attempt to add a jellyfin-server to the mobile app with the https:// prefix

Expected behavior The app should connect or at least should show a meaningful message!

System OS: Andoid (multiple versions) Jellyfin Version: 0.9.9 Reverse proxy: nginx (with option ssl_client_certificate)

[anthonylavado]

See https://github.com/jellyfin/jellyfin-android/issues/193 for more information. tl;dr - Allowing self-signed certs requires modifying a part of the underlying Cordova framework, which is not recommended in production. As a result, it's not supported with this app.

[stephankellermayr]

Hi @anthonylavado , any news regarding this issue? Could you solve the problem?

[anthonylavado]

No, sorry, we cannot solve this problem at this time, with the framework that this app is built on. I’m not certain if we can display an error message. I’d have to defer to the other developers on that.

If you’d like to use self-signed certificates, you’d have to make a custom build for yourself with the necessary changes. Otherwise, you can always use a certificate signed from an established CA (such as Let’s Encrypt), or use a VPN connection back to your server (this is what I do).

[stephankellermayr]

OK, i fully understand that, but you know that this issue focus on "Client Certificates" (which is not the same as "Self Signed Certificates")? It's definitely not the same problem with the underlying framework you are talking about, because if you import your own CA into android, all your self signed certificates are accepted by Jellyfin too. The Problem occurs only, if you want to use "Client Certificates". So i think that this issue should be reopened so that someone (?) can work on it, or at least can see that there are issues with that.

[stephankellermayr]

Sorry, I am not that familiar with Jellyfin's code yet to solve the problem, but if it helps, i could provide bash-scripts to generate those certificates for testing purposes.

[PrplHaz4]

I think using client certs for authentication would require at minimum some configuration changes in kestrel: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1#configure-your-host-to-require-certificates

[stephankellermayr]

Thanks @PrplHaz4 for the hint, you are completely right, this part belongs to Kestrel and needs to be fixed there as far as i can see at first glance. Sorry @anthonylavado, i didn't know the structure on which all those jellyfin-applications are built on (that's not well documented btw and you have to read through all the projects first), and i first thought it is part of the android-app. ... but it would be nice if you could give more information next time for other motivated developers.

[anthonylavado]

@stephankellermayr Sorry about that! We got confused on the terminology as well (I liked it to some of our Android devs as a sanity check.

We are working (slowly) on improving documentation. The problem now is that it is quite a large monolithic beast, and we’re splitting it out piece by piece.

If you have any questions or need some pointers, come on by in the chat - links are at “Contact” on Jellyfin.org