Replies: 62 comments 14 replies
-
I was just about to implement a similar configuration for my setup too. So here's a me too for this feature request. |
Beta Was this translation helpful? Give feedback.
-
@shmuelzon I have a similar issue and have reported the bug to apple. Chrome for MacOS works for Safari for MacOS as well as any networking in iOS does not send the client cert over wss:// Sadly I do not believe this is an issue that can be fixed with an app update (but i am hopeful). I think it is purely in Apple's court. @Shirk the issue you are mentioning doesn't relate to client-side certs, just BasicAuth creds. |
Beta Was this translation helpful? Give feedback.
-
@cmsimike I've also opened a bug at Apple only to have it closed as a duplicate with the original bug still open. A few iOS releases since then without a fix. I did notice in the app that I don't get a popup for choosing a profile even for the 'regular' HTTPS requests so I was hoping the approach is different in an app than in the Safari browser. |
Beta Was this translation helpful? Give feedback.
-
Might want to check Open Radar and/or submit it yourself if you can't find it. |
Beta Was this translation helpful? Give feedback.
-
I doubt this works with the app, but I did manage to get client certificates working with Safari/iOS. I noticed the same thing @cmsimike mentioned above -- client cert details don't seem to get sent with WebSocket requests. Details here. Basically involves setting a short-lived access token in a cookie on browsers that make the initial request with a valid client certificate. |
Beta Was this translation helpful? Give feedback.
-
I can confirm that iOS websockets don’t pass any form of authentication. It’s not specific to hass. |
Beta Was this translation helpful? Give feedback.
-
Good to know I'm not crazy :) The blog I linked above doesn't need to add any exceptions. It's basically a nginx lua script that tags browsers with a cookie when they make a request with a valid client certificate. The cookie is valid for a configurable time (enforced with HMAC of client id + timestamp), and is all completely seamless from a user perspective. The page loads in the same way that it would if the browser was sending client cert data for the wss request. I don't know enough about iOS network stuff to know if this would work for the app. If the app sends client cert data along with the initial request, and accepts the cookie set in the response, it should work. |
Beta Was this translation helpful? Give feedback.
-
@sidoh did you get this lua script / cookie setup working on iOS with the HA page added to the homescreen? This works flawlessly for me when I open HA in Safari, but if I add that same page to the homescreen, I am unable to get past the login screen. It correctly prompts for my certificate, but it sits on the "loading data" spinner indefinitely, with no notable errors in the nginx logs. |
Beta Was this translation helpful? Give feedback.
-
Yeah, it works for me with a pinned page on the homescreen. I've had to force-refresh a few times. Is nginx seeing the |
Beta Was this translation helpful? Give feedback.
-
No, nginx doesn't see the request come through at all. I don't have a mac at home that I can tether my device to, otherwise I'd try to capture the safari console |
Beta Was this translation helpful? Give feedback.
-
Huh. You're not seeing a request for |
Beta Was this translation helpful? Give feedback.
-
It's possible - I've done everything short of a factory reset, to no avail. I think I am experiencing home-assistant/core#7123 at this point, which appears unrelated to this issue. I'll take my conversation over there so I don't pollute this one |
Beta Was this translation helpful? Give feedback.
-
link to osx/webkit bugzilla: https://bugs.webkit.org/show_bug.cgi?id=158345 |
Beta Was this translation helpful? Give feedback.
-
I submitted this as a bug report to apple but it was close with no further info as 'duplicate' |
Beta Was this translation helpful? Give feedback.
-
@sidoh i can confirm that with your nginx lua script works in nginx (v1.4.6) and Safari (iOS 11 and MacOS 10.13) but doesn't work with the HA iOS App (v1.1.1). |
Beta Was this translation helpful? Give feedback.
-
Given the latest security issue with allowed access to all Homeassitant instances even with Nabua Casa (it is unknown if the bug was used in the last 6 years) it would be a good moment to move forward with this. As the client certificate implementation in iOS seems to be rather complicated compared to android maybe a different approach could be taken until client certificates are fully working. How about allowing a custom HTTP header to be defined by the user. |
Beta Was this translation helpful? Give feedback.
-
Are there any news ? |
Beta Was this translation helpful? Give feedback.
-
Is there any progress? I'm as well interested. |
Beta Was this translation helpful? Give feedback.
-
+1 mTLS on iOS companion app is my most desired feature! |
Beta Was this translation helpful? Give feedback.
-
Any progress? |
Beta Was this translation helpful? Give feedback.
-
One workaround I am using right now is to use Tailscale client on iOS with OnDemand VPN and Tailscale client on the box running Home Assistant. It's not the same but does the job ¯_(ツ)_/¯ |
Beta Was this translation helpful? Give feedback.
-
@cthulu thanks, but i'm no searching for a workarround i'm searching for a client certificate authentication which works with the home assistant ios app. |
Beta Was this translation helpful? Give feedback.
-
I know... I have put it here for people who might be fine with this workaround, given that the issue is open for quite a while and it does not seem to be fixable anytime soon. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
I just enabled mutual TLS on all clients, except the iOS device. Supporting this on iOS would enable us to further strengthen security around HA. |
Beta Was this translation helpful? Give feedback.
-
+1, this would be great and add an important layer of security. Recently switched from Android where this feature has been in place for a while, was unaware that it didn't exist in the iOS app. |
Beta Was this translation helpful? Give feedback.
-
#2144 was just closed |
Beta Was this translation helpful? Give feedback.
-
Both of those sound really good - obviously the HTTP header is less desirable as much less secure but still much better than just having the instance exposed out to the internet! I know that VPN tunnel is always quoted as the viable alternative to mTLS, but it really isn't that practical to have a VPN tunnel running on all of my family members devices 24/7 (less reliable, more maintenance, faster phone battery drain). I personally couldn't care less about the Apple Watch functionality, etc. that I would lose and would happily forgo this for the greatly enhanced security. Really hope that the developers will give these options another look! If the only way to have this working without a VPN is just exposing to the internet, I would hesitate to give homeassistant access to anything more than a smart lightbulb, let alone unlocking my my front door, etc! |
Beta Was this translation helpful? Give feedback.
-
In case anyone else finds this thread, pull request #2144 referenced above was rejected by upstream due to concerns maintenance burden and the availability existing solutions. See #2144 (comment) and #2144 (comment) for the rationale. The discussion has moved off of Github to this community forum thread. But I am personally not getting my hopes up: it seems unlikely that this feature will be accepted by the maintainers, even if the community implements it. The best available options are a VPN, a tunnel (e.g. Cloudflare WARP, Tailscale, etc), or Home Assistant Cloud. |
Beta Was this translation helpful? Give feedback.
-
Too bad... I'm curious how many people we would need to get this in there? |
Beta Was this translation helpful? Give feedback.
-
My setup has an nginx server reverse-proxying requests to HA using HTTPS and mandating a client side certificate.
Would it be possible for the app to show a list of installed profiles/certificates and use them for SSL challenges?
Sadly, iOS's Safari has a bug where the client side certificate isn't used with websockets and my remote access to HA is unavailable ever since 0.38.
Beta Was this translation helpful? Give feedback.
All reactions