Connecting to a server with TLS Client Authentication crashes app #582
Comments
|
Hi, I have the same use case and a similar experience that you have @codingJWilliams. It would be a nice addition to the mobile app to support TLS client authentication. The added security would be beneficial for on-premise deployments. Perhaps we can join forces and come up with an implementation that could be merged into mainline? @kspearrin Could you give your opinion on this and maybe some pointers on where to start? |
|
All server communication happens with httpclient here: https://github.com/bitwarden/mobile/blob/master/src/Core/Services/ApiService.cs I am not sure what is needed to support client certificates. |
|
Thanks for your quick answer and the pointer. I'll have a stab at it, but first I'll need to setup a C# dev environment on Linux. I'm quite new to C# development, so if anyone has any experience to share, I'd be much obliged. My first bet is Rider from Jetbrains, let's hope this works 🤞. |
|
Unfortunately, there is no Xamarin support on Linux that I know of. |
|
It seems to be one of the advertised features of Rider: https://www.jetbrains.com/rider/features/ I'll let you know if it works out. |
|
Hello, Thank you for the very kind offer @agboom but I'm rather hopeless at C#! I will take a shot however this does seem to be outside of my comfort zone. |
|
Thanks @codingJWilliams I'll give a shout if there's something to test or otherwise. My main challenge right now is to get the dev environment working on Linux which is new to me for C#. The Jetbrains Rider IDE requires a paid license which is a bummer, because it's currently my only chance of Xamarin development on Linux AFAIK. Jetbrains does offer free licenses to open source project contributors, so maybe hope @kspearrin? |
|
Hello, I've been able to make some progress on this - it's rather crude and doesn't use the system certificate selection dialog but I have at least been able to get the app to connect. Inside the ApiService.cs I have modified the HttpClient definition to the following: Then, I added the One thing I would note is that I'm not quite sure of the implications of It's hacky, but works, so possibly a good starting point. I would ideally like this to be able to use certificates installed on the system rather than needing access to the pfx file though. |
|
Thanks for picking this up @codingJWilliams, I've been out of luck with Xamarin on Linux. Although I could start a trail period with Jetbrains Rider, the Xamarin SDK did not work out of the box and requires some packages that failed to install on my system. Great that you got it working! My guess for the implications of If the HttpClient indeed does accept your server certificate that could be a bug. Just thinking out loud here: did you try to add the CA cert? Not sure how the system certificates could be used, but I agree that it is the desired functionality. |
|
Is there any development continuing on this? This is something I am very interested in Unfortunately, I am also not at all a C# developer nor have I done any mobile platform development before, so I don't think I would be very helpful either, unless someone can point me towards how to set up a Linux development environment. I can't imagine the code would be that complicated, seems the UI portion would be more work than the logic. The way I would expect the UI to work would be to have an option/dialog for "Identity" where installed client certificates could be selected from, much in the way that iPhone EAP-TLS functions I can try to get a simple environment up that will allow me to at least write a bare bones "tls_connect" function with an optional client certificate, but I would have to pass that off to someone familiar with the UI portion, and familiar with the iOS/Android APIs for selecting the certificates from the device EDIT: https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin seems to be a useful resource |
|
@codingJWilliams I agree that using an "installed" system certificate would be ideal, but I would be happy with the .pfx/.p12 as a start (and I think that's a reasonable way to implement it, so long as it doesn't get in the way of the UI options most commonly used) |
|
@kspearrin is TLS client certificate authentication something you are willing to support? This would be great for hosted instances EDIT: Currently TLS client certificate auth works fine with BitWarden via web browser. It is just the iOS application I am talking about here! I'm sorry to hijack the thread here, but I tried to organize some thoughts about it, hoping you would be willing to listen and consider. If you prefer this in a separate issue, or communication via another medium, please let me know! The ProblemFirst, there is not a problem with the authentication mechanisms of BitWarden for users. It currently supports very strong methods of authentication, which protect users from account takeovers. These work very well to accomplish what they set out to do However, some users and organizations would like a way to proactively protect a hosted BitWarden server from pre-authentication attacks on the BitWarden HTTP based application. A successful attack making use of a vulnerability in BitWarden could be disastrous for an organization, due to the nature of the product. While secrets are encrypted on the server, an attacker who compromised the web infrastructure could very easily capture login credentials from users and then... well, you know. There are some other options users and organizations have (VPNs, Firewalls, Layer 7 filters/controls, etc) but none are as simple or elegant as mutually authenticated TLS for solving this problem. Especially in the age of MDM, where many organizations have the ability to push "identity" certificates to managed devices, TLS client authentication becomes something that is available "for free" TLS Client-Certificate Authentication Support - The Benefits
The Use Cases
Suggested ImplementationAssuming this discussion is worth having, here are some thoughts on implementation approaches. I see two ways to do this without making it into an unnecessarily large project, and without impacting existing UX
Effort InvolvedThe second approach is obviously better as it's less work and does not disturb workflow or UX for users that do not require this feature. The amount of development involved seems to me to be relatively small, unless the framework(s) being used are terribly flawed in facilitating this functionality Because I do not know what the APIs provide you with, I can give a quick low-level summary of what happens in the connection when a client certificate is required, in case you are not familiar with the SSL/TLS handshake. This should give you an idea of what you would need from an API
[1] For a "normal" HTTPS server, the Thanks for reading through this, I'm happy to help out any way I can. Especially if that means writing this in shorter form :> |
|
@mzpqnxow I don't doubt that this would be a good idea to add, however, priorities don't align for me to look into this further at the moment. I've added the "help wanted" tag here if someone wants to contribute to the feature. Ideally we'd somehow use a a cert on the device without having to prompt a user to pick it. |
|
Fair enough, thank you. And I agree with that approach. |
|
@agboom , @codingJWilliams any interest/time in picking this up again? Any luck on getting a no-cost dev environment up in Linux so that I might be able to help? |
|
I started to look at the android implementation. Unfortunately, I'm better with SSL in C# than java so I didn't find a way to use device's certificates without prompting the user to choose one. I made some tests with pfx protected certificate, when the api call fails with ssl errors, it asks the user for a certificate. The certificate is then installed on device KeyChain so we can reuse it next time without having to ask the certificate credentials again (screenshots of the flow at the end) You can take a look at the code here : https://github.com/MrLuje/mobile/tree/android-tls-auth https://user-images.githubusercontent.com/632075/71647255-4f29c000-2cf4-11ea-995f-379df82fb8de.png |
|
Hello, Sorry for dropping this, I didn't see the email about this. I think that's all very promising progress, and your implementation does look good @MrLuje , thanks for the hard work on that. From a UX standpoint your implementation looks good as well, essentially just the normal dialog that chrome prompts with. Once I'm back at my desktop tomorrow I'll test your build of that. Thanks for being interested in implementing this guys, best open source contributors <3 |
|
For Android, in order to avoid the cert prompting, you need to specify your own KeyManager to SSLContext. The KeyManager - which could be derived from X509ExtendedKeyManager - needs to have the key pair alias and private key entry (KeyStore.PrivateKeyEntry) set in it, so that the alias can be returned by "chooseClientAlias", and the private key entry can be used for "getPrivateKey" and "getCertificateChain". I can provide a Java sample of the if you are interested. |
|
I really appreciate the time you put into this @MrLuje I see you put clean stubs in for iOS. I'm not experienced at all with Xamarin/.NET so wanted to ask if it is correct to assume that the iOS implementation will need to be mostly/completely different for this? I know Xamarin provides abstraction, but maybe that's less relevant when it comes to crypto features, which I assume aren't quite 1:1 on Android vs iOS |
I'm not experienced enough with iOS to tell (and I have no device to build/test it), I have a rough idea about how to implement the http client part, but I don't know what is possible to do with iOS regarding certificates. That's also why I'm not pushing the android version further (except if we can have feature-discrepancy between iOS & Android) |
|
@MrLuje I see.. thanks. FWIW to those on this issue, I'm willing to offer a small bounty for anyone who will implement the iOS support (and actually get a PR accepted upstream and into the AppStore build) .. maybe $500USD? Any takers? ;) |
|
Hey, |
|
I hereby increase the bounty to... $501USD! |
|
Greetings, I would like to inquire about the status of this issue. Ideally, the (iOS/Android) client would be able to select a client certificate from the system store (or even an in-app option would be fine, really) and present it to the reverse proxy that will be running in front of the Bitwarden server software. I have no expectation for the Bitwarden server software to do anything with it. Is the resolution of this issue on any roadmap or is it stale? Thank you. |
|
hi guys, i aslo need TLS mutual authentication, then i find this topic. fortunately, I am familiar with C#.NET on Windows, but I am not familiar with Xamarin.NET on iOS and Android, but I think they are similar. it is very easy to send http requests with client certificate by HttpClient, i write these code and test it successfully on Windows. using System;
using System.Threading.Tasks;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates;
namespace HttpClientTest
{
class Program
{
static async Task Main(string[] args)
{
string cert = "D:\\HttpClient\\client.p12"; // client certificate signed by CA
WebRequestHandler handler = new WebRequestHandler();
X509Certificate2 x509Certificate = new X509Certificate2();
x509Certificate.Import(cert, "Passowrd", X509KeyStorageFlags.DefaultKeySet); //password of client.p12
handler.ClientCertificates.Add(x509Certificate);
HttpClient hc = new HttpClient(handler);
string html = await hc.GetStringAsync("https://abc.test.com"); // TLS target site
Console.WriteLine(html);
Console.Read();
}
}
}it runs well on my test:
so, on iOS/Android, the key step is to get the client certificate, then you can send it with HttpClient. one way to get the client certificate in Bitwarden App, i think it could prompt a certificate list window to let user select his certificate(just like chrome/edge browser); the other way to get the client certificate, Bitwarden App could use a simple "while" loop to iterate through the certificates installed on mobile device to get the right one which signed by CA(for example: the "Subject Altname" section in client certificate must equal or contains the domain name of the target site) for the reason i am not familiar with Xamarin on iOS/Android, i hope you guys could continue this work to implement TLS mutual authentication on mobile device, it will be very useful and more and more security. |
|
hi guys, is there any update for this? @kspearrin @vincentsalucci @jlf0dev @eliykat |
|
+1 |
1 similar comment
|
+1 |
|
@kspearrin , I see folks love to tag you on this thread... Is the issue with getting this resolved due to not having a good way to test out client certs? I know nothing about developing on an Android (or mobile in general), but would be happy to help in any way I can. I can side load test versions, I can help create a server that you can use to test out client certs. I just really want to see this working. it works with other platforms. No reason it can't work on Android too. |
|
@MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box. |
|
Hi all, apologies for all the inconveniences caused. The team will make time and pick this up, and get back to you on what we discover. Thanks for the patience! |
|
Definitely looking forward to this. I'm self hosting and would much rather only expose that to the internet only behind mutual tls auth. |
|
Absolutely thrilled about seeing progress here. Thanks in advance to the team and everybody involved! |
Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate. |
|
I am craving for this as well. Right now I am forced into Wireguard split tunneling instead |
I never tried his code. I had my own, basically working, for Android then realised the other solution was more elegant as it as was using the native store for the certificates. I started looking at the iOS side but got a new job and whoosh there went my time. When the core team sounded like they were going to pick this up I wasn’t particularly motivated to continue. It does seem to be taking its time to arrive though. 🤔 This is the only missing feature in my want list for this app. |
|
guys, in the meantime don't expose bitwarden to internet and use Wireguard on your computer+Android. Use split tunneling to send only Bitwarden traffic to it. |
|
Any news on this ? |
|
@MrLuje Looking forward to hear from you! :-) 🍺 |
|
any updates on this topic? |
I did it. I have little experience in vb.net but managed somehow to install all the stuff needed and compiled @MrLuje 's code months ago . If you want I can send the compiled APK to you and to others who wish. |
|
Any chance you can create a new pull request for it? This way the devs can review and merge it. |
|
@superuser866 did you cherry picked 7fd95c2?diff=unified on a bitwarden upstream source? In that case can create a pull request for it? I just builded straight from https://github.com/MrLuje/mobile.git There are like 90 warnings but no errors The source is outdated of coarse but for the time being I'm OK with it I just hope @MrLuje or someone else comes with an up to date pull request |
|
i've implemented support of mTLS client authentication based off latest code base. see following short demo below. mtls-bitwarden.mp4 |
|
Great news @oguzhane , can you share it with us? |
|
@oguzhane That looks fantastic, and we'd be happy to review the PR when you submit it. |
|
@oguzhane the app hangs and crashes while picking up the client certificate from the android cert store Also note that there is a generic p12 importing issue in recent android versions for certs created with openssl v3 |
|
@ippocratis thanks for testing this out. To make further investing for installation from system certs. Can i please ask;
if you install a cert in pkcs#12 legacy format to system cert store and then, use it on the app, do you still getting issue? |
Android 13 LineageOS 20 custom rom , rooted
Settings >security>encryption and cedentials>install a certificate
Sorry if I wasn't clear.
It is the second option that is failing Also I forgot to mention that I have to clear app data after that to be able to use the app again Error on logcat !
It is a pkcs 12 bundle
Yes
The "original" pkcs12 cant be saved in the android system store The legacy cert is installed on android certificate store |
|
I'm able to install a certificate to system store and use it from the app. The system was able to decrypt the cert and the app can pick this one up to use. # 1 # 2 # 3 # 4
I think the issue here seem to be either your cert's encryption type not supported or related to LineageOS. Following is commands i use to generate client certificate from ca. it produces pem file. you have to convert to pfx that recognized by Android. |
|
5 years later, with both ad-hoc patches/code and formal PRs submitted by various contributors, and we're back at square one... this is a bummer Trying my best to be constructive, rather than give up:
I can't see any sane user committing time to another PR, only to have it neglected or ultimately withdrawn/closed At the risk of sounding harsh or critical- I have to say that I'm shocked at the strength and persistence of the apathy with regard to this feature I do understand that Bitwarden is, for many, many people, a free (or "budget") solution. As such, I suspect that even if every individual on this GH issue was a paying customer, the revenue would barely amount to more than a few hours of developer/UX time. So on the one hand, the progress here is very easily understandable. Bitwarden is a business, and developer hours are zero sum; I think all reasonable people understand this But at the same time, as a project/product that has dramatically improved the collective security posture of Internet users and organizations, it's disappointing that a feature that provides strong authentication (and, perhaps more important for security-minded organizations- attack surface reduction) has gone nowhere Pardon the unsolicited ranting It would be great to see this start to move again, but I'm not holding my breath I won't spam the issue any further. I felt I had to contribute the last $0.02 I had left on this topic 😊 Finally- thank you to everyone (including those at Bitwarden - I know everyone is doing their best) who helped to move this along over the years. You are appreciated, despite this ending up where it started |
|
They are rewriting both iOS and Android client. Here is the repo for Android. It looks like this issue(bitwarden/android#582) was opened on the new repository but it was closed stating the issue will be moved to this repository. Now I have no idea what the intention is here
This is open since 2019. Can we at least make a decision and let the users move on if it's not going to be supported? |
|
Asking the same questions. This is so weird. And this bitwarden/android#2629 (comment) is weirder |
Hello,
When connecting to a Bitwarden server that's behind an nginx proxy that requires a client cert, the app just crashes when pressing the Log In button. The same server works fine on Firefox, requesting access to my certificate as expected, and when I disable the requirement to have client authentication through my reverse proxy, the app works fine too.
I see this is a known issue based on a few forum posts (https://community.bitwarden.com/t/client-certificates/427, https://community.bitwarden.com/t/mobile-app-cant-access-server-behind-reverse-proxy-with-client-cert-authentification/2071 etc) so thought I'd raise an issue.
The text was updated successfully, but these errors were encountered: