Allow using installed client certificate

[zindable]

In my configuration, I distinguish between external traffic originating from the internet and internal traffic within the local network. While internal traffic enjoys direct access to my services, external requests undergo additional authentication via mutual TLS (mTLS), terminated on my proxy.

I stumbled upon a demo showcasing how mTLS can be implemented in Swift. However, as I'm not proficient in Swift development, I'm uncertain about its feasibility.

Would it be possible for the app to show a list of installed profiles/certificates and utilize them in cases where the server mandates client authentication at the TLS layer?

[paulgessinger]

I've received a few requests for this. I'm not an expert at all on the topic, so I'll have to research this first. It does seem useful though, so I'll look into it.

The app uses URLSession for everything so as per your link it should be possible to implement.

[Nils-witt]

Hi,

Would it be possible for the app to show a list of installed profiles/certificates and utilize them in cases where the server mandates client authentication at the TLS layer?

@zindable As Apple limits the access to the OS Keychain that is not possible, but each app (or keychain group) can import them into their own keychain.

I´m currently trying to implement this feature here: Fork (WiP)

[paulgessinger]

@Nils-witt awesome! Looking forward to a PR on this!

[paulgessinger]

@zindable I pushed @Nils-witt's changes to TestFlight now. Could you give this a try?

[Finkregh]

I tried to add a certificate, but got certificateLoadError. I used the same p12 file with https://github.com/immich-app/immich and it worked.
The log did not contain anything certificate related :/

[paulgessinger]

@Finkregh I've found in my testing that it dependents on details of the certificate.

I haven't tried this in Immich, but this app is using the iOS API for this pretty much directly, so if it doesn't work it's highly likely it's because of Apple's framework. If you created the .p12 with openssl3, I believe you need to pass -legacy to make it work.

I found this out through trial and error trying to import a client cert first straight into macOS keychain and then into the app (the crypto framework is the same).

Can you give that a shot?

[Finkregh]

It works, nice!

In the Ui it's not clear how I can remove servers, Btw :)

[paulgessinger]

@Finkregh I added a logout button right in the settings screen now.

[paulgessinger]

A first version will be in v1.5.0 but I'll follow this up with a UI overhaul to make this a bit more streamlined, paired with some documentation on how to set this up properly in an install.

[LucaTheHacker]

I'm having issues with this as well. I've seen from the logs that the certificate has been loaded properly, but I'm unable to get the login working anyway.

I have tried to debug everything, cert is valid and loaded correctly, yet logs don't help to understand if the certificate has been sent or not.

Any guesses?