Client-side certificate support


#1

Would it be possible to include support for client-side SSL certificates in a future release of the iOS app? I’d like to lock down access to HASS to only approved devices (especially with regard to access via the Internet) by means of deploying certificates as needed. Configuring Nginx to serve as gatekeeper for this is fairly easy to do, and I was able to get it to work on my iPhone when using Safari, but it seems that the iOS app doesn’t check for installed certs.

Or, if there’s another way to handle access control that is already supported, I’m all ears.

Great app, otherwise!

Jon


#2

+1

I’m planning to do the same … would be great if the app would support it!


#3

Apparently, they can’t allow self-signed ssl certificates due to Apple’s limitations:


#4

Not sure if the comment relates to the server certificate rather than the client/personal certificate. I’m still able to install a client certificate on my phone and use it with safari for TLS-MA.


#5

I was indeed referring to the client certificate. My server’s cert is signed by a recognized CA and the client cert is self-generated. Safari works flawlessly with this arrangement. I’m hoping that this is a good indicator that the hard work has already been done and that incorporating support for this configuration within the app is just a matter of adding a few lines of code, but I have to admit that I’m saying this as a non-programmer so it’s just a guess.


#6

+1 - would be great and make me sleep better at night!


#7

According to this it should work?

http://blog.christophermullins.com/2017/04/30/securing-homeassistant-with-client-certificates/#comment-1960

Is the iOS app using a WebView? If so it might perhaps share client certs with Safari. Or that the workaround using the lua script in the linked blog leaves any Safari-based WebView to access HA during the one hour window?


#8

Thanks to the previous efforts of others (Christopher Mullins, and more) and a lot of my own work, I was just able to fully support client certificate authentication for Home Assistant using Nginx. It works in Safari (macOS & iOS) and Chrome (macOS & iOS) and also the iOS app after I cloned the source from GitHub and compiled my own version that included my client certificate and a small amount of extra code to send it when the server sends the client certificate challenge. I plan to clean things up some more and write a guide.


#9

Really keen to see your writeup! I have recently implemented client certificates, and its a shame that it leaves the iOS app useless…