search

nilsbraden / ttrss-reader-fork

An Android-Client for the self-hosted Tiny Tiny RSS feedreader
https://www.nilsbraden.de/TTRSS-Reader/
153 stars 41 forks source link

SSL client certificates do not work, app fails to connect to tt-rss server #146

Closed GoogleCodeExporter closed 3 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Set up a tt-rss server with https. In apache's ssl config, set 
SSLVerifyClient to "optional" or "require". Additionally, set SSLVerifyDepth to 
10.
2. Generate a client certificate with https client profile. I used xca for 
this. Install client certificate to android key store. That was successful.
3. Open the reader app, connect to server.

What is the expected output? What do you see instead?
The reader should connect to the server normally. Instead, the app fails to 
connect and prints out an error message (see attached screenshot). 

What version of the product are you using? On what operating system?
1.48 from google play store. The phone is a Samsung Galaxy S3 with Omega 43.3 
(XXEMC3) ROM.

Using the app on an https-only server with server certificates only (setting 
SSLVerifyClient to none), works as it should. 
Other apps dealing with SSL client certificates, for instance openvpn, work 
normally.

Regards,
hikFeSwog

Original issue reported on code.google.com by hikFeS...@googlemail.com on 20 May 2013 at 12:10

Attachments:

GoogleCodeExporter commented 9 years ago 
Not yet implemented.

Original comment by nils.braden on 21 May 2013 at 8:47

GoogleCodeExporter commented 9 years ago

Original comment by nils.braden on 18 Feb 2014 at 7:41

jmtsantos commented 8 years ago

I would also like to have this feature

jr4 commented 6 years ago

I have this working locally, I'll see if I can get a reasonable UI around it

jr4 commented 6 years ago

Implemented. See PR https://github.com/nilsbraden/ttrss-reader-fork/pull/362

Added new preference SSL Settings->Client Certificate. It invokes the android certificate selection dialog, not an app-specific one. This is necessary to authorize the app to use a cert from the central store. The dialog may vary by device, but you should be able to add certs from either there or in the device settings (typically you need to temporarily store a .p12 file in the phone / directory).

I've tested that Apache can be configured to require this cert, and that ttrss can then be configured to use the cert as login.