Q1. What is the problem that you are trying to solve?
Currently the Android mobile client does not support using the client certificates present in the device’s certificate store.
In instances where the (proxy-)server expects a Client Certificate, but the client does not send it, the request gets rejected entirely (403). Thus any connection from such a client is impossible.
I described the issue in more detail over here before: Using Android mobile app with SSL client certificate
To be clear: this is not about using and accepting unsigned SSL certificates. This is about the ability to authenticate requests using SSL client certificates.
Q2 - Who is impacted?
Everyone that uses the mobile client
Q3 - Why is it important and/or urgent?
It allows enforcing the use of client certificates as a security practice.
Q4 - What is your proposed solution? (optional)
When the app encounters any request that requires SSL authentication, it also sends a client certificate chosen by the user.
On Android this can probably be achieved by using ClientCertRequest (ClientCertRequest | Android Developers)
Q5. Community support
People can vote for this idea to show traction:
-
Must have: this is critical for me to have this -
Should have: this is important for me to have this -
Could have: this could be nice to have -
Won’t have: we should not schedule this (explain why)
0 voters