HTTP 400 when logging in to server that is secured with mTLS

[nicolashimmelmann]

Steps to reproduce

1. Setup a reverse proxy such as nginx in front of Nextcloud with activated client authentication (mTLS).
2. Issue a client certificate for the Android device. Install that certificate on the device.
3. Start Talk app, enter the server URL. Click arrow to login.
4. HTTP 400 is shown.

mTLS works perfectly fine with the main Nextcloud app, but not with the Talk app. There is some entry called "Change client certificate" in the settings once logged in, but since I need to log in first that is of no use.

Expected behaviour

The app should use the default Android APIs to toggle the popup asking the user to select the correct client certificate, the same way the main Nextcloud app does.

Actual behaviour

Login does not work, HTTP 400 is shown. Once I deactivate Client Certification check in nginx, login works.

Device brand and model

Pixel 6

Android version

15

Nextcloud Talk app version

20.0.2

Nextcloud server version

30.0.1

Talk version

20.0.1

Custom Signaling server configured

None

Custom TURN server configured

None

Custom STUN server configured

None

Android logs

No response

Server log

No response

Additional information

No response

[nicolashimmelmann]

I looked at the code and found that there is already support for Client Certificates, in the ServerSelectionActivity: https://github.com/nextcloud/talk-android/blob/d9bcf14696e07971f731743e2202baf9afeae68e/app/src/main/java/com/nextcloud/talk/account/ServerSelectionActivity.kt#L138

The required link is just hidden by default: https://github.com/nextcloud/talk-android/blob/d9bcf14696e07971f731743e2202baf9afeae68e/app/src/main/res/values/setup.xml#L23

I changed that to false, and ran the app in an emulator. It is now possible to click the textview, choose the certificate and log in. Chat also works.

Why is this disabled by default? Any chance this could be re-enabled in one of the next minor releases?