search

nilsbraden / ttrss-reader-fork

An Android-Client for the self-hosted Tiny Tiny RSS feedreader
https://www.nilsbraden.de/TTRSS-Reader/
149 stars 40 forks source link

TLS Client Certificates do not seem to work #454

Closed katrina-krings closed 3 years ago

katrina-krings commented 3 years ago

Greetings.

I presently have working client cert authentication to my tt-rss instance running Apache. I have my client cert imported into Android's keystore, and I can choose my certificate and connect to my site perfectly fine in Chrome.

I've installed ttrss-reader 1.96.6 (1966) from F-Droid. Within SSL Settings, I have checked "Use Client Certificate" and have selected my client certificate in the option below, which produces the same system dialog as Chrome.

However, when I then go to connect, it fails to connect, stating:

Exception in doRequest(): Exception-Message: Read error: ssl=0xb4000071a4493f98: Failure in SSL library, usually a protocol error error:1000045c:SSL routines:OPENSSL_internal:TLSV1_CERTIFICATE_REQUIRED (external/boringssl/src/ssl/tls_record.cc:587 0xb4000071c448df58:0x00000001) No Exception-Cause available. These /are/ self signed certs, but the CA has also been enrolled in the Android system store, and I've tried the Accept all SSL certificates and Trust all Hosts option.

When looking at the ssl log for Apache, it seems like the app isn't sending the client certificate at all: SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate

The only thing I can think that may be also important is that these are ECDSA keys/certs and not RSA. If it's all handled by OpenSSL in the background, it really shouldn't matter anyways, but I thought to mention it.

There are also no intermediate certs for the client or server certificate chain, they are both created directly off my CA.

Any help would be appreciated.

nilsbraden commented 3 years ago

I never used client certs myself and only took the implementation since it seemed to be working, so I can't really test it myself. But you might want to try to disable the Google paly services provider (under SSL Settings), then restart the app. You need to make sure it is properly killed though, either by force closing it somehow (depends on your device and rom) or reboot the phone since these libraries are hooked into the apps memory when it is loaded once and can't be unloaded. But this setting sometime interferes with other SSL settings.

katrina-krings commented 3 years ago

Darndest thing, it works now, even with Google Play's provider enabled, plus a reboot.

Maybe it simply just needed a reboot to get working again. I'll close this unless you are particularly concerned and would like me to figure out why it didn't work the first time.