Project

General

Profile

[OT] To enforce client certificate auth, the client must support and must be configured to use client certificate auth (was: is mTLS directly dependent to per-app support?)

Added by dab123 26 days ago

I use ssl.verifyclient.enforce = "enable" setting within lighttpd when serving content, as far as I follow, this enforces a client certificate to be sent from client to server making the connection secure, even on the Internet. I've noticed that some apps (android/IOS) are not working when this setting is enabled, even when relevant certificates have been installed. Let me give you a bit of an overview and post a question at the end.

What I'm trying to do is to use one of my latest IPhone devices to connect calendar with CalDav (Radicale V3) account. Here is my spec

Server: 192.168.1.175 (local ip)
user name: user2
password: <password>
advanced settings: Use SSL (Yes) / port: 5232 / account URL: https://192.168.1.175:5232/user2

Now this setting works great when ssl.verifyclient.enforce = "disabled" is set. However, the moment I set it to enable, it stops. I checked the lighttpd logs and this is the line that appears when enforcing is enabled
2024-09-15 22:36:42: (mod_openssl.c.3275) SSL: 1 error:0A0000C7:SSL routines::peer did not return a certificate (192.168.1.176)

So, when enforcing is enabled, I am unable to connect to caldav account using Iphones main account/calendar settings, but when I access it using Safari web browser, the radicale works! This is not me messing up my settings? Is it just due to Iphones calendar account client not supporting using of client certs that was installed on the device?


Replies (3)

RE: is mTLS directly dependent to per-app support? - Added by gstrauss 26 days ago

The title of your post is poorly worded. Does a given client have to support and be configured to use client certificates? => Yes.

As you noted it works in Safari on the client, but for some unknown reason, not for iPhone Calendar on the client.

This is not a server-side issue.

Please note that this forum is for the lighttpd server, and not for any Apple product such as the iPhone.

RE: [OT] To enforce client certificate auth, the client must support and must be configured to use client certificate auth (was: is mTLS directly dependent to per-app support?) - Added by gstrauss 26 days ago

This is not me messing up my settings?

The problem is most likely you not properly configuring your client applications and/or the client OS certificate store. Some client OS centralize the certificate store. Some client apps maintain their own certificate store separate from the OS, and may or may not use the OS certificate store, too. "Does my iPhone ...?" is off-topic for this forum.

    (1-3/3)