search

owntracks / booklet

The definitive OwnTracks documentation
http://owntracks.org/booklet/
43 stars 59 forks source link

TLS Client Certificate Documentation #17

Closed n8henrie closed 8 years ago

n8henrie commented 8 years ago

As per owntracks/ios#379, I'm having trouble using a TLS client certificate with Owntracks for iOS 9.1.6. My setup used to work, but something changed in the last few months.

Following the documentation recommended setup, I continuously get an error with Mosquitto 1.4.9 and OwnTracks, though I'm still able to connect properly with mosquitto_pub (as long as I specify the proper client certs / files).

When using the Mosquitto broker support for TLS certificates can be enabled as follows:

require_certificate true use_identity_as_username true

...

We recommend you proceed as follows:

  1. Install the TLS CA certificate in your system keystore by sending it (e.g. via e-mail) to your device and installing it in the system profile. (Click on the certificate and follow iOS' instructions.)
  2. Send the prepared PKCS#12 file (with an .otrp extension) to your device, and open it. It will be imported into OwnTracks
  3. Launch OwnTracks, select Settings and TLS. Select the otrp file you just imported as Client Certificate Filename, and below that, enter its passphrase.
  4. Leave Use Custom Security Policy disabled.
  5. Verify the connection to your broker.

img_2064 1

OwnTracks shows:

error The operation couldn't be completed.
(OSStatus error -9829.) {
}

Mosquitto shows:

1466436433: New connection from XX.XXX.XXX.XX on port 8883.
1466436430: OpenSSL Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
1466436430: Socket error on client <unknown>, disconnecting.

The reason I'm raising an issue here is that I can see in the screenshots in the issue referenced above that others do have Use Custom Security Policy enabled, and I find that enabling it makes everything work as expected, even with security measures enabled like Validate Certificate Chain and Validate Domain Name.

img_2065 1

I'm confused -- should I have Use Custom Security Policy disabled (as per the docs), or should I leave it enabled (as per other users, and what seems to be working)? If the latter, should the docs be updated to reflect this?

What exactly does this switch change? I've tried reviewing the source code, but I'm afraid it's a bit over my head.

Thanks for any help you can provide.

ckrey commented 8 years ago

The switch allows you to control your TLS settings more granular. If not switched on, it uses the default iOS settings and uses the iOS keychain for certificate validation only.

ckrey commented 8 years ago

Thanks for identifying the bug.

In version 9.1.6 client certificates only work with custom security policy ckrey/MQTT-Client-Framework#160

The documentation needs to be updated to state client certificates are independent of the custom security policy settings.