As a user i can connect to Passbolt behind a proxy that requires a SSL client certificate when using the Android mobile client

Q1. What is the problem that you are trying to solve?
Currently the Android mobile client does not support using the client certificates present in the device’s certificate store.

In instances where the (proxy-)server expects a Client Certificate, but the client does not send it, the request gets rejected entirely (403). Thus any connection from such a client is impossible.

I described the issue in more detail over here before: Using Android mobile app with SSL client certificate

To be clear: this is not about using and accepting unsigned SSL certificates. This is about the ability to authenticate requests using SSL client certificates.

Q2 - Who is impacted?
Everyone that uses the mobile client

Q3 - Why is it important and/or urgent?
It allows enforcing the use of client certificates as a security practice.

Q4 - What is your proposed solution? (optional)
When the app encounters any request that requires SSL authentication, it also sends a client certificate chosen by the user.
On Android this can probably be achieved by using ClientCertRequest (ClientCertRequest  |  Android Developers)

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)

0 voters

Maybe accomplished as an NGINX config on the server side?

NGINX ssl_client_certificate

The client (Android App) currently fails to provide any SSL client certificate. The server side is fully and correctly configured.

1 Like