Accept Client Certificates

[visnaut]

Hi there! Absolutely ❤️ this app, it's great. Unfortunately, I'm unable to use it with brokers that require client certificates to authenticate.

This feature request therefore is for a UI whereby users are able to provide the following files in order to authenticate:

• Certificate Authority Certificate (.crt)
• User/Client Certificate (.crt)
• User/Client Private Key (.key)

[philipparndt]

Hi @visnaut,

thank you for the nice words. I'd like to implement this feature as I think you are definitely not alone with this use case ;)

Could you create an example configuration for Mosquitto? We should also think about how to provide a good UI for the certificates. The fast solution would be to provide text fields but maybe it would be better to allow to select files from iCloud or by using iTunes/Finder.

[visnaut]

@philipparndt Absolutely. Here's a sample mosquitto config which will have an unsecured port 1883 and a secured, certificate-only port 8883.

Note for casual readers: This is not a secure setup!

# Per Listener Settings
per_listener_settings true

# Default Listener
port 1883
allow_anonymous true

# Secured Listener
listener 8883
cafile /mosquitto/config/ca.crt
keyfile /mosquitto/config/broker.key
certfile /mosquitto/config/broker.crt
require_certificate true
use_identity_as_username true
allow_anonymous false

For generating the keys, I followed the instructions here and here.

You're absolutely right about the UI. My first thought was to see how apps like Prompt and OpenVPN handle that. Prompt either allows a user to copy and paste a public key, or generate a key pair; neither is really applicable. OpenVPN allows users to import .ovpn configs via URL, iTunes Sync, or open the file via the Mail app (But you can also open .ovpn files in the Files app).

What those apps have to their advantage is that, regardless of approach, a user only has to provide a single file/key. In this case, a user would have to repeat that step up to three times, which is less than ideal.

It's been a long time since I've looked at the iOS SDK, but even if you could select three files in UIDocumentBrowserViewController, or add three files via iTunes Sync (how do you even do that in Catalina? 🤔) you'd still need to have some kind of UI to then map them to the correct slots on a per-server basis. Unless of course, you tried both permutations of .crt files when connecting to a server for the first time.

Ultimately, I think that simply making it a modal, 1:1 selection between a UI slot and file (via UIDocumentBrowserViewController) would be good enough for a first pass. Even though it may be tedious, it only has to be performed once per server, and for the audience using this app, shouldn't be a barrier to usage.

[philipparndt]

@visnaut thanks for the configuration :)

I've got an example mosquitto up and running and already implemented a small working demo (without any UI/certificate sharing). Sharing files with iTunes has moved to Finder with Catalina. I know the OpenVPN app with it's configuration. This is good but something like this would only be possible with some manual steps but maybe this would be fine as a first step for advanced users.

[philipparndt]

Hi @visnaut I've submitted a first test flight build. Let me know when you like to test it and I send you a test invitation.

[visnaut]

Happy to help you test it, and I am free this weekend to do so!

[philipparndt]

The update is still in "waiting for review" state. Seems to take longer than regular at the moment but you should have received a test flight invitation and get the update as soon as the review is done by Apple.

[visnaut]

Thank you so much! I did not receive the TestFlight invitation in my email (made sure to check spam). No stress if the update is imminent, but if you’d still like help testing, I’m happy to troubleshoot or trade invitation code via Twitter DM (same username as Github).

[visnaut]

Received the invitation. Certificate support is working great! 🙌 UI is nice and simple, I really like it.

The only call-out is that these files are visible:

Not sure what they are, but users are able to delete them.

[philipparndt]

Thanks a lot for testing! I don't like, that the files are visible. They are used for a local cache. I tried to move them to another place but this solution currently don't work so I will accept this drawback for now.