HTTP 400 when logging in to server that is secured with mTLS

[nicolashimmelmann]

Steps to reproduce

1. Setup a reverse proxy such as nginx in front of Nextcloud with activated client authentication (mTLS).
2. Issue a client certificate for the Android device. Install that certificate on the device.
3. Start Talk app, enter the server URL. Click arrow to login.
4. HTTP 400 is shown.

mTLS works perfectly fine with the main Nextcloud app, but not with the Talk app. There is some entry called "Change client certificate" in the settings once logged in, but since I need to log in first that is of no use.

Expected behaviour

The app should use the default Android APIs to toggle the popup asking the user to select the correct client certificate, the same way the main Nextcloud app does.

Actual behaviour

Login does not work, HTTP 400 is shown. Once I deactivate Client Certification check in nginx, login works.

Device brand and model

Pixel 6

Android version

15

Nextcloud Talk app version

20.0.2

Nextcloud server version

30.0.1

Talk version

20.0.1

Custom Signaling server configured

None

Custom TURN server configured

None

Custom STUN server configured

None

Android logs

No response

Server log

No response

Additional information

No response

[nicolashimmelmann]

I looked at the code and found that there is already support for Client Certificates, in the ServerSelectionActivity:

talk-android/app/src/main/java/com/nextcloud/talk/account/ServerSelectionActivity.kt

Line 138 in d9bcf14

fun onCertClick() {

The required link is just hidden by default:

talk-android/app/src/main/res/values/setup.xml

Line 23 in d9bcf14

<bool name="hide_auth_cert">true</bool>

I changed that to false, and ran the app in an emulator. It is now possible to click the textview, choose the certificate and log in. Chat also works.

Why is this disabled by default? Any chance this could be re-enabled in one of the next minor releases?

[migulen]

@nicolashimmelmann, OFFTOPIC: Can you helpme some info about the process of generating client certificates and installing it on android mobiles ?

There are a lot of improvements since september... i hope the Android Talk team release soon a new version with them.

[nicolashimmelmann]

Hi, that's not too hard. You can either google that, or ask chatgpt, I am also no expert. However, the steps are mainly this:

1. Create a new private key with openssl command
2. From that private key, create a self-signed root certificate:
3. For each client:
   1. Generate a new private key.
   2. Generate a certificate signing request (CSR)
   3. Sign the CSR with the root ca to create the client certificate

Just a starting point, not sure if something is missing:

# CA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt \
    -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourOrg Root CA"

# Client
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr \
    -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client"
openssl x509 -req -in client.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
    -out client.crt -days 365 -sha256

# Verify against CA
openssl verify -CAfile rootCA.crt client.crt

The CA and CA private key need to be added in your server config (e.g. nginx.conf).
The certificate needs to be rolled out on the Android as a .p12 file. You can create that from the client private key and certificate using this command:

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile rootCA.crt

How you roll that out to the phone is your decision (usb, email, download, ...). You need to add it under "Settings > Security > Encryption & Credentials" on Android.

[migulen]

@nicolashimmelmann . Really, thank you very much for you effort!!!

I get lost because I thought it must be "generated" with my recognised certified certificate provider... ;-?. And I don't have access to generate this type of client certificates from them... or I think so.

In this case all are "self-signed".

I will try it. Thanks.

[migulen]

@nicolashimmelmann:

It works like a charm with Firefox on W11. Firefox on W11 ask for the personal client certificat.

It works correctly with Brave on Android. Brave ask for the personal client certificate.

But....

I can't do it work with Android Talk nor Firefox/Focus on Android. No config inside FirefoxY/Focus, nor asking for the certificate.

---

"There is some entry called "Change client certificate" in the settings once logged in, but since I need to log in first that is of no use."

Inside a previously Talk account configured, the Android Talk app "account configuration" I select the personal client certificate, but it don't works too. It seems no really "selecting/activating the certificate".

I will wait... for some news from the Talk Team.

[mahibi]

Hi,
the feature is disabled and needs improvements. We can have a closer look what needs to be done to have this ready for production.