search

nextcloud / ios

📱 Nextcloud iOS App
https://itunes.apple.com/us/app/nextcloud/id1125420102
GNU General Public License v3.0
1.99k stars 882 forks source link

🔑 Use SSL Client Certificate to improve security #847

Closed Heracles31 closed 4 months ago

Heracles31 commented 5 years ago

Expected behaviour

Option to configure a Nextcloud account to include an SSL User's Private Key and Certificate to connect to the server.

The use of an SSL Client certificate greatly improves the security. It protects the SSL connection against SSL decryptors deployed here and there and many other threats. It also improves the security in the mobile device by moving the private key to a memory space where nothing can touch it.

As a first step, it should be easy to add this as an extra option to account but still require the password or the access token. In a further release, it would be possible to use the certificate as the only authentication but that requires more effort and more config in the SSL engine facing the Nextcloud service as well as in the Nextcloud config itself to map certificates names to usernames.

Actual behaviour

To use such a client side certificate is not an option as of now

Steps to reproduce

N/A

iOS version

N/A

App version

Latest

Server configuration

N/A

Operating system: N/A

Web server: N/A

Database:  N/A

PHP version: N/A

Nextcloud version: (see Nextcloud admin page)  N/A

mpivchev commented 4 months ago

@WinkelB The error you are getting does not seem related to the certificate, it seems like a permission error.

WinkelB commented 4 months ago

thats the blocking via the cloudflare WAF if the application isnt providing a valid certifiate image

if using a valid certificate everything works image

mpivchev commented 4 months ago

It may be because Cloudflare is using mTLS and only regular TLS seems to be supported by Alamofire

WinkelB commented 4 months ago

Yes, that's correct; I assume mTLS is what's being referred to as it's often mentioned here. It's quite unfortunate because mTLS is an enterprise standard. Moreover, both the website and the Windows desktop client support mTLS.

marinofaggiana commented 4 months ago

@mpivchev @windfail where would be the difference between mTLS Cloudflare and the mTLS (no Cloudflare) ?

AchMol commented 1 week ago

Hi all, is the client certificate authentication now integrated in the iOS Client as in the Windows and OSX Client?

The OSX Client ist working fine as the connect with a webbrowser from iOS but with the nextcloud iOS Client I get an "Verbindungsfehler" error. Also there is no way to hand over a client certificate to the nextcloud client.