Allow using installed client certificate for authentication

[shmuelzon]

My setup has an nginx server reverse-proxying requests to HA using HTTPS and mandating a client side certificate.
Would it be possible for the app to show a list of installed profiles/certificates and use them for SSL challenges?

Sadly, iOS's Safari has a bug where the client side certificate isn't used with websockets and my remote access to HA is unavailable ever since 0.38.

[adec]

I was just about to implement a similar configuration for my setup too. So here's a me too for this feature request.

[cmsimike]

@shmuelzon I have a similar issue and have reported the bug to apple. Chrome for MacOS works for Safari for MacOS as well as any networking in iOS does not send the client cert over wss://

Sadly I do not believe this is an issue that can be fixed with an app update (but i am hopeful). I think it is purely in Apple's court.

@Shirk the issue you are mentioning doesn't relate to client-side certs, just BasicAuth creds.

[shmuelzon]

@cmsimike I've also opened a bug at Apple only to have it closed as a duplicate with the original bug still open. A few iOS releases since then without a fix.

I did notice in the app that I don't get a popup for choosing a profile even for the 'regular' HTTPS requests so I was hoping the approach is different in an app than in the Safari browser.
As I have zero knowledge in iOS development, I was hoping it would be possible.

[robbiet480]

Might want to check Open Radar and/or submit it yourself if you can't find it.

[sidoh]

I doubt this works with the app, but I did manage to get client certificates working with Safari/iOS. I noticed the same thing @cmsimike mentioned above -- client cert details don't seem to get sent with WebSocket requests. Details here. Basically involves setting a short-lived access token in a cookie on browsers that make the initial request with a valid client certificate.

[HealsCodes]

I can confirm that iOS websockets don’t pass any form of authentication. It’s not specific to hass.
I have client-side certs & http-auth working (the later being requested if the former is not passed) but I still have to add an exception for /api/websocket to not need any of them (api-password only on that location).
There are a few projects ok github that discovered this bug so far :(

[sidoh]

Good to know I'm not crazy :)

The blog I linked above doesn't need to add any exceptions. It's basically a nginx lua script that tags browsers with a cookie when they make a request with a valid client certificate. The cookie is valid for a configurable time (enforced with HMAC of client id + timestamp), and is all completely seamless from a user perspective. The page loads in the same way that it would if the browser was sending client cert data for the wss request.

I don't know enough about iOS network stuff to know if this would work for the app. If the app sends client cert data along with the initial request, and accepts the cookie set in the response, it should work.

[legrego]

@sidoh did you get this lua script / cookie setup working on iOS with the HA page added to the homescreen? This works flawlessly for me when I open HA in Safari, but if I add that same page to the homescreen, I am unable to get past the login screen. It correctly prompts for my certificate, but it sits on the "loading data" spinner indefinitely, with no notable errors in the nginx logs.

[sidoh]

Yeah, it works for me with a pinned page on the homescreen. I've had to force-refresh a few times. Is nginx seeing the /api/websocket request?

[legrego]

No, nginx doesn't see the request come through at all. I don't have a mac at home that I can tether my device to, otherwise I'd try to capture the safari console

[sidoh]

Huh. You're not seeing a request for / either? Is it possible the browser is caching?

[legrego]

It's possible - I've done everything short of a factory reset, to no avail. I think I am experiencing home-assistant/core#7123 at this point, which appears unrelated to this issue. I'll take my conversation over there so I don't pollute this one

[spaced]

link to osx/webkit bugzilla: https://bugs.webkit.org/show_bug.cgi?id=158345
there is also a bounty https://www.bountysource.com/issues/35354552-websocket-does-not-send-client-certificate

[cmsimike]

I submitted this as a bug report to apple but it was close with no further info as 'duplicate'

[gonzalezcalleja]

@sidoh i can confirm that with your nginx lua script works in nginx (v1.4.6) and Safari (iOS 11 and MacOS 10.13) but doesn't work with the HA iOS App (v1.1.1).

[tripplet]

Given the latest security issue with allowed access to all Homeassitant instances even with Nabua Casa (it is unknown if the bug was used in the last 6 years) it would be a good moment to move forward with this.

As the client certificate implementation in iOS seems to be rather complicated compared to android maybe a different approach could be taken until client certificates are fully working.

How about allowing a custom HTTP header to be defined by the user.
As this is always encrypted in HTTPS traffic a reverse proxy can be easily configured to reject any request not containing the header.
The header value could contain a non guessable random value for example or JWT token.
I know that this is not as secure as client authentication but I simply like to have an additional layer in front of the homeassistant authentication and use the app.
Using the web browser this is already possible.

[wrouesnel]

+1 to this or something like it. A simple option would be if we could set a Basic auth header to be sent with all requests from the client app: with server side TLS, and nginx-proxy-manager this provides an easy to provide an additional factor of security - my primary goal is to avoid presenting a big "welcome to how to control my house" to the internet page for people to attack.

Whereas with basic auth (or better: a custom header) - I can have nginx just hard-drop the request if it doesn't see the header with a 444 response (I just recently added support for this to nginx-proxy-manager intending to do exactly this).

[r01k]

Just tested basic auth to my proxy but the app simply shows a 401 and doesn't prompt for the credentials.

[ITTV-tools]

Are there any news ?

[BMWfan]

Is there any progress? I'm as well interested.

[bridge-four]

+1 mTLS on iOS companion app is my most desired feature!

[BMWfan]

Any progress?

[cthulu]

One workaround I am using right now is to use Tailscale client on iOS with OnDemand VPN and Tailscale client on the box running Home Assistant. It's not the same but does the job ¯_(ツ)_/¯

[BMWfan]

@cthulu thanks, but i'm no searching for a workarround i'm searching for a client certificate authentication which works with the home assistant ios app.

[cthulu]

I know... I have put it here for people who might be fine with this workaround, given that the issue is open for quite a while and it does not seem to be fixable anytime soon.

[ghost]

I have been reading all the posts and PR for client cert for iOS.. started in 2017 with discussions and PR, but still not there

currently in my unifi I block all access to the local HA ip for Internet In where it does not originate from cloud flare proxy ip's.. cloud flare tunnel so no firewall port forwarding going on

in cloudflare I have 3 rules..

• must be from within my country (blocks out most trying to access)
• must be HTTPS
• and currently the User-Agent must contain Home Assistant or io.robbie.HomeAssistant etc (so must use HA app and not webpage etc

works.. but secure?? if malicious ppl use a VPN they can set to my country, if they use HTTPS.. then thats 2/3, then if they too use the HA app.. thats 3/3 and then they still have to get around the HA login

what if Sources/Shared/API/HAAPI.swift function for userAgent could include a user defined token that could be used in the cloud flare rules where the User Agent has to contain this user defined token string?

or able to setup CF-Access-Client-ID or CF-Access-Client-Secret

Its not client cert, but does add user defined token string matching

[r01k]

I just enabled mutual TLS on all clients, except the iOS device. Supporting this on iOS would enable us to further strengthen security around HA.

[pedropombeiro]

Hopefully now that there's a dedicated iOS developer on board, we'll have a better chance of seeing this come to fruition 🤞

[BMWfan]

@pedropombeiro do you know, is he already aware of our pain?

[pedropombeiro]

@BMWfan No idea. I just read the announcement from Nabu Casa.

[jsk4]

+1, this would be great and add an important layer of security. Recently switched from Android where this feature has been in place for a while, was unaware that it didn't exist in the iOS app.
Using VPN tunnels feels kind of unreliable and hard to maintain for non tech savvy members of the household where as a certificate could easily be installed one time and "just work".
An ability to add a http header to the requests as someone suggested would be the next best thing.

[DaAwesomeP]

#2144 was just closed

[lriley2020]

+1, this would be great and add an important layer of security. Recently switched from Android where this feature has been in place for a while, was unaware that it didn't exist in the iOS app. Using VPN tunnels feels kind of unreliable and hard to maintain for non tech savvy members of the household where as a certificate could easily be installed one time and "just work". An ability to add a http header to the requests as someone suggested would be the next best thing.

Both of those sound really good - obviously the HTTP header is less desirable as much less secure but still much better than just having the instance exposed out to the internet! I know that VPN tunnel is always quoted as the viable alternative to mTLS, but it really isn't that practical to have a VPN tunnel running on all of my family members devices 24/7 (less reliable, more maintenance, faster phone battery drain). I personally couldn't care less about the Apple Watch functionality, etc. that I would lose and would happily forgo this for the greatly enhanced security.

Really hope that the developers will give these options another look!

If the only way to have this working without a VPN is just exposing to the internet, I would hesitate to give homeassistant access to anything more than a smart lightbulb, let alone unlocking my my front door, etc!

[BMWfan]

Perhaps you add your concerns to the main request: #2144

Beside that. I agree completly with yours.

[lriley2020]

Perhaps you add your concerns to the main request: #2144

Beside that. I agree completly with yours.

Will do!

[mkoval]

In case anyone else finds this thread, pull request #2144 referenced above was rejected by upstream due to concerns maintenance burden and the availability existing solutions. See #2144 (comment) and #2144 (comment) for the rationale.

The discussion has moved off of Github to this community forum thread. But I am personally not getting my hopes up: it seems unlikely that this feature will be accepted by the maintainers, even if the community implements it. The best available options are a VPN, a tunnel (e.g. Cloudflare WARP, Tailscale, etc), or Home Assistant Cloud.

[firstchair]

Too bad... I'm curious how many people we would need to get this in there?