ios icon indicating copy to clipboard operation
ios copied to clipboard
verified publisher icon nextcloud

Invalid server certificate warning in iOS app with TLS client authentication

Open xavier2dc opened this issue 3 years ago • 3 comments

Steps to reproduce

  1. Deploy Nextcloud on a server, create an account
  2. Put nginx as reverse proxy in front of Nextcloud with ssl_verify_client optional in the config
  3. Create an app password, add account to the iOS app using the QR code
  4. Close the app and reopen it

Expected behaviour

The app reopens without certificate warning

Actual behaviour

A warning shows up: "The certificate for this server is invalid. Do you want to connect to the server anyway?" The certificate displayed is the correct certificate. Even if I click on Yes, the warning will reappear next time. I can access the files after clicking Yes. If the ssl_verify_client optional line is removed in nginx, the warning does not appear next time the iOS app is restarted.

Note 1: the reverse proxy's TLS certificate is correctly configured, since Safari on iOS can connect to it properly. Note 2: I have checked other tickets, this is not a duplicate, the only other mention is https://github.com/nextcloud/ios/issues/1682#issuecomment-1066117211

Screenshots

Same screenshot as reported in https://github.com/nextcloud/ios/issues/1682 (but likely for different reason)

Logs

No interesting log to show.

Reasoning or why should it be changed/implemented?

TLS client authentication can be used with Nextcloud using the SSO & SAML authentication extension, which works well with web browsers. AFAIK, the iOS app does not support this feature, so it can fallback to normal login/password authentication. However, it should gracefully ignore the Certificate Request from the server, just like an unconfigured web browser would, and not trigger a server certificate warning. The Android app does not have this problem.

Environment data

iOS version: iOS 14.8 Nextcloud iOS app version: Nextcloud Liquid iOS 4.3.1.0 Web server operating system: TrueNAS FreeBSD 12.2-RELEASE-p12 jail Web server: nginx 1.20.2_9,2 on plain HTTP Reverse proxy operating system: Docker version 20.10.12, build e91ed5707e with Debian GNU/Linux 10 Linux e86a668d8ff0 5.4.0-104-generic x86_64 Reverse proxy: openresty/1.19.9.1 built with OpenSSL 1.1.1n 15 Mar 2022 Database: mysql 8.0.28 PHP version: PHP 7.4.28 (fpm-fcgi) Nextcloud version: 23.0.2

xavier2dc avatar Mar 26 '22 03:03 xavier2dc

Thanks for reporting this. I'm having the same issue.

dlardo avatar Apr 18 '22 07:04 dlardo

I have the same issue. I’m not using client certificates anywhere in NextCloud, but my server allows me to authenticate to some other services via client cert. As the cert is also requested (optionally) for the Nextcloud domain, this causes issues. Especially because there is no way to confirm the certificate warning when using data from nextcloud in other apps (e.g. KeePassium).

malexmave avatar Jul 04 '22 10:07 malexmave

I have the same warning issue, even without client authentication. I use a haproxy for TLS. I use SNI as multiple services are present behind a single address. I switched from a personal CA to LetsEncrypt hoping that this would solve the issue, without success. I am suspecting SNI to be somehow related to the problem.

Jc-L avatar Mar 03 '24 22:03 Jc-L