Connecting to a server with TLS Client Authentication crashes app #808

@kspearrin commented on GitHub (Aug 27, 2019):

All server communication happens with httpclient here: https://github.com/bitwarden/mobile/blob/master/src/Core/Services/ApiService.cs

I am not sure what is needed to support client certificates.

@kspearrin commented on GitHub (Aug 27, 2019): All server communication happens with httpclient here: https://github.com/bitwarden/mobile/blob/master/src/Core/Services/ApiService.cs I am not sure what is needed to support client certificates.

GiteaMirror commented

@agboom commented on GitHub (Aug 27, 2019):

Thanks for your quick answer and the pointer. I'll have a stab at it, but first I'll need to setup a C# dev environment on Linux. I'm quite new to C# development, so if anyone has any experience to share, I'd be much obliged. My first bet is Rider from Jetbrains, let's hope this works 🤞.

@agboom commented on GitHub (Aug 27, 2019): Thanks for your quick answer and the pointer. I'll have a stab at it, but first I'll need to setup a C# dev environment on Linux. I'm quite new to C# development, so if anyone has any experience to share, I'd be much obliged. My first bet is Rider from Jetbrains, let's hope this works :crossed_fingers:.

GiteaMirror commented

@kspearrin commented on GitHub (Aug 27, 2019):

Unfortunately, there is no Xamarin support on Linux that I know of.

@kspearrin commented on GitHub (Aug 27, 2019): Unfortunately, there is no Xamarin support on Linux that I know of.

GiteaMirror commented

@agboom commented on GitHub (Aug 27, 2019):

It seems to be one of the advertised features of Rider: https://www.jetbrains.com/rider/features/

I'll let you know if it works out.

@agboom commented on GitHub (Aug 27, 2019): It seems to be one of the advertised features of Rider: https://www.jetbrains.com/rider/features/ I'll let you know if it works out.

GiteaMirror commented

@codingJWilliams commented on GitHub (Aug 27, 2019):

Hello,

Thank you for the very kind offer @agboom but I'm rather hopeless at C#!
I did some basic research and this does seem to be possible with the System.Net.HttpClient but I wouldn't know where to start with implementing this - if you need any help testing or similar, however, please let me know.

I will take a shot however this does seem to be outside of my comfort zone.

@codingJWilliams commented on GitHub (Aug 27, 2019): Hello, Thank you for the very kind offer @agboom but I'm rather hopeless at C#! I did some basic research and this does seem to be possible with the System.Net.HttpClient but I wouldn't know where to start with implementing this - if you need any help testing or similar, however, please let me know. I will take a shot however this does seem to be outside of my comfort zone.

GiteaMirror commented

@agboom commented on GitHub (Aug 28, 2019):

Thanks @codingJWilliams I'll give a shout if there's something to test or otherwise.

My main challenge right now is to get the dev environment working on Linux which is new to me for C#. The Jetbrains Rider IDE requires a paid license which is a bummer, because it's currently my only chance of Xamarin development on Linux AFAIK. Jetbrains does offer free licenses to open source project contributors, so maybe hope @kspearrin?

@agboom commented on GitHub (Aug 28, 2019): Thanks @codingJWilliams I'll give a shout if there's something to test or otherwise. My main challenge right now is to get the dev environment working on Linux which is new to me for C#. The Jetbrains Rider IDE requires a paid license which is a bummer, because it's currently my only chance of Xamarin development on Linux AFAIK. Jetbrains does offer free licenses to open source project contributors, so maybe hope @kspearrin?

GiteaMirror commented

@codingJWilliams commented on GitHub (Aug 28, 2019):

Hello,

I've been able to make some progress on this - it's rather crude and doesn't use the system certificate selection dialog but I have at least been able to get the app to connect. Inside the ApiService.cs I have modified the HttpClient definition to the following:

        private readonly HttpClient _httpClient = new HttpClient(new NativeMessageHandler(false, new TLSConfig()
        {
            ClientCertificate = new ClientCertificate()
            {
                RawData = "<As described at https://libraries.io/nuget/modernhttpclient-NETStandard>",
                Passphrase = "<PFX file passphrase>"
            },
            /*Pins = new List<Pin>()
            {
                new Pin()
                {
                    Hostname = "bw.voidcrafted.me",
                    PublicKeys = new [] {
                        "sha256/tC9oxQJEQexqxPRcCSpjAErD1iu96/eeFxssJqiqp/A="
                    }
                },
                new Pin()
                {
                    Hostname = "*.voidcrafted.me",
                    PublicKeys = new [] {
                        "sha256/tC9oxQJEQexqxPRcCSpjAErD1iu96/eeFxssJqiqp/A="
                    }
                }
            },*/
            DangerousAcceptAnyServerCertificateValidator = true,
            
        }));

Then, I added the modernhttpclient-updated NuGet package and built the app, which was then able to connect to my server.

One thing I would note is that I'm not quite sure of the implications of DangerousAcceptAnyServerCertificateValidator = true however without this I could not get the HttpClient to accept my server's certificate - even explicitly adding the certificate as described by https://libraries.io/nuget/modernhttpclient-updated. Will make an issue on their end to look into this - could be because I use a wildcard *.voidcrafted.me SSL certificate.

It's hacky, but works, so possibly a good starting point. I would ideally like this to be able to use certificates installed on the system rather than needing access to the pfx file though.

@codingJWilliams commented on GitHub (Aug 28, 2019): Hello, I've been able to make some progress on this - it's rather crude and doesn't use the system certificate selection dialog but I have at least been able to get the app to connect. Inside the ApiService.cs I have modified the HttpClient definition to the following: ``` private readonly HttpClient _httpClient = new HttpClient(new NativeMessageHandler(false, new TLSConfig() { ClientCertificate = new ClientCertificate() { RawData = "<As described at https://libraries.io/nuget/modernhttpclient-NETStandard>", Passphrase = "<PFX file passphrase>" }, /*Pins = new List<Pin>() { new Pin() { Hostname = "bw.voidcrafted.me", PublicKeys = new [] { "sha256/tC9oxQJEQexqxPRcCSpjAErD1iu96/eeFxssJqiqp/A=" } }, new Pin() { Hostname = "*.voidcrafted.me", PublicKeys = new [] { "sha256/tC9oxQJEQexqxPRcCSpjAErD1iu96/eeFxssJqiqp/A=" } } },*/ DangerousAcceptAnyServerCertificateValidator = true, })); ``` Then, I added the `modernhttpclient-updated` NuGet package and built the app, which was then able to connect to my server. One thing I would note is that I'm not quite sure of the implications of `DangerousAcceptAnyServerCertificateValidator = true` however without this I could not get the HttpClient to accept my server's certificate - even explicitly adding the certificate as described by https://libraries.io/nuget/modernhttpclient-updated. Will make an issue on their end to look into this - could be because I use a wildcard `*.voidcrafted.me` SSL certificate. It's hacky, but works, so possibly a good starting point. I would ideally like this to be able to use certificates installed on the system rather than needing access to the pfx file though.

GiteaMirror commented

2025-11-26 22:30:29 -06:00

@agboom commented on GitHub (Aug 29, 2019):

Thanks for picking this up @codingJWilliams, I've been out of luck with Xamarin on Linux. Although I could start a trail period with Jetbrains Rider, the Xamarin SDK did not work out of the box and requires some packages that failed to install on my system.

Great that you got it working! My guess for the implications of DangerousAcceptAnyServerCertificateValidator is that the client possibly accepts certs from any certificate authority, similar to where you would add an exception for an unknown cert in Firefox or Chrome, except in this case all certs are accepted. If that's the case the Dangerous prefix is appropriate, since it defeats the purpose of having TLS.

If the HttpClient indeed does accept your server certificate that could be a bug. Just thinking out loud here: did you try to add the CA cert?

Not sure how the system certificates could be used, but I agree that it is the desired functionality.

@agboom commented on GitHub (Aug 29, 2019): Thanks for picking this up @codingJWilliams, I've been out of luck with Xamarin on Linux. Although I could start a trail period with Jetbrains Rider, the Xamarin SDK did not work out of the box and requires some packages that failed to install on my system. Great that you got it working! My guess for the implications of `DangerousAcceptAnyServerCertificateValidator` is that the client possibly accepts certs from any certificate authority, similar to where you would add an exception for an unknown cert in Firefox or Chrome, except in this case all certs are accepted. If that's the case the `Dangerous` prefix is appropriate, since it defeats the purpose of having TLS. If the HttpClient indeed does accept your server certificate that could be a bug. Just thinking out loud here: did you try to add the CA cert? Not sure how the system certificates could be used, but I agree that it is the desired functionality.

GiteaMirror commented

@mzpqnxow commented on GitHub (Oct 12, 2019):

Is there any development continuing on this? This is something I am very interested in

Unfortunately, I am also not at all a C# developer nor have I done any mobile platform development before, so I don't think I would be very helpful either, unless someone can point me towards how to set up a Linux development environment.

I can't imagine the code would be that complicated, seems the UI portion would be more work than the logic. The way I would expect the UI to work would be to have an option/dialog for "Identity" where installed client certificates could be selected from, much in the way that iPhone EAP-TLS functions

I can try to get a simple environment up that will allow me to at least write a bare bones "tls_connect" function with an optional client certificate, but I would have to pass that off to someone familiar with the UI portion, and familiar with the iOS/Android APIs for selecting the certificates from the device

EDIT: https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin seems to be a useful resource

@mzpqnxow commented on GitHub (Oct 12, 2019): Is there any development continuing on this? This is something I am very interested in Unfortunately, I am also not at all a C# developer nor have I done *any* mobile platform development before, so I don't think I would be very helpful either, unless someone can point me towards how to set up a Linux development environment. I can't imagine the code would be that complicated, seems the UI portion would be more work than the logic. The way I would expect the UI to work would be to have an option/dialog for "Identity" where installed client certificates could be selected from, much in the way that iPhone EAP-TLS functions I can try to get a simple environment up that will allow me to at least write a bare bones "tls_connect" function with an optional client certificate, but I would have to pass that off to someone familiar with the UI portion, and familiar with the iOS/Android APIs for selecting the certificates from the device EDIT: https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin seems to be a useful resource

GiteaMirror commented

2025-11-26 22:30:29 -06:00

@mzpqnxow commented on GitHub (Oct 12, 2019):

@codingJWilliams I agree that using an "installed" system certificate would be ideal, but I would be happy with the .pfx/.p12 as a start (and I think that's a reasonable way to implement it, so long as it doesn't get in the way of the UI options most commonly used)

@mzpqnxow commented on GitHub (Oct 12, 2019): @codingJWilliams I agree that using an "installed" system certificate would be ideal, but I would be happy with the .pfx/.p12 as a start (and I think that's a reasonable way to implement it, so long as it doesn't get in the way of the UI options most commonly used)

GiteaMirror commented

2025-11-26 22:30:29 -06:00

@mzpqnxow commented on GitHub (Oct 20, 2019):

@kspearrin is TLS client certificate authentication something you are willing to support? This would be great for hosted instances

EDIT: Currently TLS client certificate auth works fine with BitWarden via web browser. It is just the iOS application I am talking about here!

I'm sorry to hijack the thread here, but I tried to organize some thoughts about it, hoping you would be willing to listen and consider. If you prefer this in a separate issue, or communication via another medium, please let me know!

The Problem

First, there is not a problem with the authentication mechanisms of BitWarden for users. It currently supports very strong methods of authentication, which protect users from account takeovers. These work very well to accomplish what they set out to do

However, some users and organizations would like a way to proactively protect a hosted BitWarden server from pre-authentication attacks on the BitWarden HTTP based application. A successful attack making use of a vulnerability in BitWarden could be disastrous for an organization, due to the nature of the product. While secrets are encrypted on the server, an attacker who compromised the web infrastructure could very easily capture login credentials from users and then... well, you know.

There are some other options users and organizations have (VPNs, Firewalls, Layer 7 filters/controls, etc) but none are as simple or elegant as mutually authenticated TLS for solving this problem. Especially in the age of MDM, where many organizations have the ability to push "identity" certificates to managed devices, TLS client authentication becomes something that is available "for free"

TLS Client-Certificate Authentication Support - The Benefits

Protects the entire HTTP-based BitWarden app (API and Web Application) from "anonymous" network attacks, exposing only the first few TLS protocol messages to an attacker without a valid certificate
As an added benefit, provides enterprises using MDM solutions a seamless way to have assurance that only approved, managed devices are being uses to access corporate secrets

The Use Cases

Users would like to proactively protect their BitWarden servers from unknown vulnerabilities in the application (self-hosted users)
Organizations would like to control access to BitWarden by using MDM software, which handles installation of client/identity certificates (enterprise users)

Suggested Implementation

Assuming this discussion is worth having, here are some thoughts on implementation approaches. I see two ways to do this without making it into an unnecessarily large project, and without impacting existing UX

(More effort) When the user sets up the address of a hosted server in the app, the app provides them a list of client certificates available on the device for the user to select to use as an identity when establishing a connection
(Less effort) Prompt the user on first connect to select a client certificate present on the device only if the TLS handshake indicates that one is required. This is the behavior of Google Chrome and implementing it in this way ensures no UX is impacted

Effort Involved

The second approach is obviously better as it's less work and does not disturb workflow or UX for users that do not require this feature. The amount of development involved seems to me to be relatively small, unless the framework(s) being used are terribly flawed in facilitating this functionality

Because I do not know what the APIs provide you with, I can give a quick low-level summary of what happens in the connection when a client certificate is required, in case you are not familiar with the SSL/TLS handshake. This should give you an idea of what you would need from an API

App connects to Server, sends TLS Client Hello
Server returns Server Hello, Certificate, Server Key Exchange and Certificate Request [1]
If App does not have a client certificate prepared, the call either fails with a specific return code indicating that a certificate is required or fires a callback in real-time to retrieve a suitable certificate
After acquiring a certificate (dynamically, or after closing the initial connection) the session is completed by providing a Certificate response to the Certificate Request from the server

[1] For a "normal" HTTPS server, the Certificate Request message would only flow from client to server. This is what allows the API to know it needs to present a certificate during the handshake

Thanks for reading through this, I'm happy to help out any way I can. Especially if that means writing this in shorter form :>

@mzpqnxow commented on GitHub (Oct 20, 2019): @kspearrin is TLS client certificate authentication something you are willing to support? This would be great for hosted instances EDIT: Currently TLS client certificate auth works fine with BitWarden via web browser. It is just the iOS application I am talking about here! I'm sorry to hijack the thread here, but I tried to organize some thoughts about it, hoping you would be willing to listen and consider. If you prefer this in a separate issue, or communication via another medium, please let me know! ### The Problem First, there is _not_ a problem with the authentication mechanisms of BitWarden for users. It currently supports very strong methods of authentication, which protect users from account takeovers. These work very well to accomplish what they set out to do However, some users and organizations would like a way to proactively protect a hosted BitWarden server from pre-authentication attacks on the BitWarden HTTP based application. A successful attack making use of a vulnerability in BitWarden could be disastrous for an organization, due to the nature of the product. While secrets are encrypted on the server, an attacker who compromised the web infrastructure could very easily capture login credentials from users and then... well, you know. There are some other options users and organizations have (VPNs, Firewalls, Layer 7 filters/controls, etc) but none are as simple or elegant as mutually authenticated TLS for solving this problem. Especially in the age of MDM, where many organizations have the ability to push "identity" certificates to managed devices, TLS client authentication becomes something that is available "for free" ### TLS Client-Certificate Authentication Support - The Benefits 1. Protects the entire HTTP-based BitWarden app (API and Web Application) from "anonymous" network attacks, exposing only the first few TLS protocol messages to an attacker without a valid certificate 2. As an added benefit, provides enterprises using MDM solutions a seamless way to have assurance that only approved, managed devices are being uses to access corporate secrets ### The Use Cases 1. Users would like to proactively protect their BitWarden servers from unknown vulnerabilities in the application (self-hosted users) 2. Organizations would like to control access to BitWarden by using MDM software, which handles installation of client/identity certificates (enterprise users) ### Suggested Implementation Assuming this discussion is worth having, here are some thoughts on implementation approaches. I see two ways to do this without making it into an unnecessarily large project, and without impacting existing UX 1. (More effort) When the user sets up the address of a hosted server in the app, the app provides them a list of client certificates available on the device for the user to select to use as an identity when establishing a connection 2. (Less effort) Prompt the user on first connect to select a client certificate present on the device only if the TLS handshake indicates that one is required. This is the behavior of Google Chrome and implementing it in this way ensures no UX is impacted ### Effort Involved The second approach is obviously better as it's less work and does not disturb workflow or UX for users that do not require this feature. The amount of development involved seems to me to be relatively small, unless the framework(s) being used are terribly flawed in facilitating this functionality Because I do not know what the APIs provide you with, I can give a quick low-level summary of what happens in the connection when a client certificate is required, in case you are not familiar with the SSL/TLS handshake. This should give you an idea of what you would need from an API 1. App connects to Server, sends `TLS Client Hello` 2. Server returns `Server Hello`, `Certificate`, `Server Key Exchange` **and** `Certificate Request` [1] 3. If App does not have a client certificate prepared, the call either fails with a specific return code indicating that a certificate is required or fires a callback in real-time to retrieve a suitable certificate 4. After acquiring a certificate (dynamically, or after closing the initial connection) the session is completed by providing a `Certificate` response to the `Certificate Request` from the server [1] For a "normal" HTTPS server, the `Certificate Request` message would only flow from client to server. This is what allows the API to know it needs to present a certificate during the handshake Thanks for reading through this, I'm happy to help out any way I can. Especially if that means writing this in shorter form :>

GiteaMirror commented

2025-11-26 22:30:31 -06:00

@kspearrin commented on GitHub (Oct 20, 2019):

@mzpqnxow I don't doubt that this would be a good idea to add, however, priorities don't align for me to look into this further at the moment. I've added the "help wanted" tag here if someone wants to contribute to the feature. Ideally we'd somehow use a a cert on the device without having to prompt a user to pick it.

@kspearrin commented on GitHub (Oct 20, 2019): @mzpqnxow I don't doubt that this would be a good idea to add, however, priorities don't align for me to look into this further at the moment. I've added the "help wanted" tag here if someone wants to contribute to the feature. Ideally we'd somehow use a a cert on the device without having to prompt a user to pick it.

GiteaMirror commented

2025-11-26 22:30:34 -06:00

@mzpqnxow commented on GitHub (Oct 21, 2019):

Fair enough, thank you. And I agree with that approach.

@mzpqnxow commented on GitHub (Oct 21, 2019): Fair enough, thank you. And I agree with that approach.

GiteaMirror commented

@mzpqnxow commented on GitHub (Oct 21, 2019):

@agboom , @codingJWilliams any interest/time in picking this up again? Any luck on getting a no-cost dev environment up in Linux so that I might be able to help?

@mzpqnxow commented on GitHub (Oct 21, 2019): @agboom , @codingJWilliams any interest/time in picking this up again? Any luck on getting a no-cost dev environment up in Linux so that I might be able to help?

GiteaMirror commented

https://user-images.githubusercontent.com/632075/71647255-4f29c000-2cf4-11ea-995f-379df82fb8de.png
https://user-images.githubusercontent.com/632075/71647256-5650ce00-2cf4-11ea-82bc-ddbfc00001a7.png
https://user-images.githubusercontent.com/632075/71647258-5650ce00-2cf4-11ea-91b2-9d659c8e9f5f.png
https://user-images.githubusercontent.com/632075/71647259-56e96480-2cf4-11ea-9aac-504928c7b629.png

@MrLuje commented on GitHub (Jan 1, 2020):

I started to look at the android implementation. Unfortunately, I'm better with SSL in C# than java so I didn't find a way to use device's certificates without prompting the user to choose one.

I made some tests with pfx protected certificate, when the api call fails with ssl errors, it asks the user for a certificate. The certificate is then installed on device KeyChain so we can reuse it next time without having to ask the certificate credentials again (screenshots of the flow at the end)

You can take a look at the code here : https://github.com/MrLuje/mobile/tree/android-tls-auth

@MrLuje commented on GitHub (Jan 1, 2020): I started to look at the android implementation. Unfortunately, I'm better with SSL in C# than java so I didn't find a way to use device's certificates without prompting the user to choose one. I made some tests with pfx protected certificate, when the api call fails with ssl errors, it asks the user for a certificate. The certificate is then installed on device [KeyChain](https://developer.android.com/reference/android/security/KeyChain) so we can reuse it next time without having to ask the certificate credentials again (screenshots of the flow at the end) You can take a look at the code here : https://github.com/MrLuje/mobile/tree/android-tls-auth https://user-images.githubusercontent.com/632075/71647255-4f29c000-2cf4-11ea-995f-379df82fb8de.png https://user-images.githubusercontent.com/632075/71647256-5650ce00-2cf4-11ea-82bc-ddbfc00001a7.png https://user-images.githubusercontent.com/632075/71647258-5650ce00-2cf4-11ea-91b2-9d659c8e9f5f.png https://user-images.githubusercontent.com/632075/71647259-56e96480-2cf4-11ea-9aac-504928c7b629.png

GiteaMirror commented

@codingJWilliams commented on GitHub (Jan 2, 2020):

Hello,

Sorry for dropping this, I didn't see the email about this. I think that's all very promising progress, and your implementation does look good @MrLuje , thanks for the hard work on that. From a UX standpoint your implementation looks good as well, essentially just the normal dialog that chrome prompts with. Once I'm back at my desktop tomorrow I'll test your build of that.

Thanks for being interested in implementing this guys, best open source contributors <3

@codingJWilliams commented on GitHub (Jan 2, 2020): Hello, Sorry for dropping this, I didn't see the email about this. I think that's all very promising progress, and your implementation does look good @MrLuje , thanks for the hard work on that. From a UX standpoint your implementation looks good as well, essentially just the normal dialog that chrome prompts with. Once I'm back at my desktop tomorrow I'll test your build of that. Thanks for being interested in implementing this guys, best open source contributors <3

GiteaMirror commented

@daveKCS commented on GitHub (Jan 9, 2020):

For Android, in order to avoid the cert prompting, you need to specify your own KeyManager to SSLContext. The KeyManager - which could be derived from X509ExtendedKeyManager - needs to have the key pair alias and private key entry (KeyStore.PrivateKeyEntry) set in it, so that the alias can be returned by "chooseClientAlias", and the private key entry can be used for "getPrivateKey" and "getCertificateChain". I can provide a Java sample of the if you are interested.

@daveKCS commented on GitHub (Jan 9, 2020): For Android, in order to avoid the cert prompting, you need to specify your own KeyManager to SSLContext. The KeyManager - which could be derived from X509ExtendedKeyManager - needs to have the key pair alias and private key entry (KeyStore.PrivateKeyEntry) set in it, so that the alias can be returned by "chooseClientAlias", and the private key entry can be used for "getPrivateKey" and "getCertificateChain". I can provide a Java sample of the if you are interested.

GiteaMirror commented

@mzpqnxow commented on GitHub (Feb 1, 2020):

I really appreciate the time you put into this @MrLuje

I see you put clean stubs in for iOS. I'm not experienced at all with Xamarin/.NET so wanted to ask if it is correct to assume that the iOS implementation will need to be mostly/completely different for this? I know Xamarin provides abstraction, but maybe that's less relevant when it comes to crypto features, which I assume aren't quite 1:1 on Android vs iOS

@mzpqnxow commented on GitHub (Feb 1, 2020): I really appreciate the time you put into this @MrLuje I see you put clean stubs in for iOS. I'm not experienced at all with Xamarin/.NET so wanted to ask if it is correct to assume that the iOS implementation will need to be mostly/completely different for this? I know Xamarin provides abstraction, but maybe that's less relevant when it comes to crypto features, which I assume aren't quite 1:1 on Android vs iOS

GiteaMirror commented

@MrLuje commented on GitHub (Feb 3, 2020):

I see you put clean stubs in for iOS. I'm not experienced at all with Xamarin/.NET so wanted to ask if it is correct to assume that the iOS implementation will need to be mostly/completely different for this?

I'm not experienced enough with iOS to tell (and I have no device to build/test it), I have a rough idea about how to implement the http client part, but I don't know what is possible to do with iOS regarding certificates. That's also why I'm not pushing the android version further (except if we can have feature-discrepancy between iOS & Android)

@MrLuje commented on GitHub (Feb 3, 2020): > I see you put clean stubs in for iOS. I'm not experienced at all with Xamarin/.NET so wanted to ask if it is correct to assume that the iOS implementation will need to be mostly/completely different for this? I'm not experienced enough with iOS to tell (and I have no device to build/test it), I have a rough idea about how to implement the http client part, but I don't know what is possible to do with iOS regarding certificates. That's also why I'm not pushing the android version further (except if we can have feature-discrepancy between iOS & Android)

GiteaMirror commented

@mzpqnxow commented on GitHub (Feb 26, 2020):

@MrLuje I see.. thanks.

FWIW to those on this issue, I'm willing to offer a small bounty for anyone who will implement the iOS support (and actually get a PR accepted upstream and into the AppStore build) .. maybe $500USD? Any takers? ;)

@mzpqnxow commented on GitHub (Feb 26, 2020): @MrLuje I see.. thanks. FWIW to those on this issue, I'm willing to offer a small bounty for anyone who will implement the iOS support (and actually get a PR accepted upstream and into the AppStore build) .. maybe $500USD? Any takers? ;)

GiteaMirror commented

@mKamleiter commented on GitHub (Sep 21, 2020):

Hey,
just want to give this a push.
Would be a very nice feature for Android and iOS

@mKamleiter commented on GitHub (Sep 21, 2020): Hey, just want to give this a push. Would be a very nice feature for Android and iOS

GiteaMirror commented

@mzpqnxow commented on GitHub (Sep 25, 2020):

I hereby increase the bounty to... $501USD!

@mzpqnxow commented on GitHub (Sep 25, 2020): I hereby increase the bounty to... $501USD!

GiteaMirror commented

@rnowak commented on GitHub (Feb 26, 2021):

Greetings,

I would like to inquire about the status of this issue. Ideally, the (iOS/Android) client would be able to select a client certificate from the system store (or even an in-app option would be fine, really) and present it to the reverse proxy that will be running in front of the Bitwarden server software. I have no expectation for the Bitwarden server software to do anything with it.

Is the resolution of this issue on any roadmap or is it stale?

Thank you.

@rnowak commented on GitHub (Feb 26, 2021): Greetings, I would like to inquire about the status of this issue. Ideally, the (iOS/Android) client would be able to select a client certificate from the system store (or even an in-app option would be fine, really) and present it to the reverse proxy that will be running in front of the Bitwarden server software. I have no expectation for the Bitwarden server software to do anything with it. Is the resolution of this issue on any roadmap or is it stale? Thank you.

GiteaMirror commented

@foxfire881 commented on GitHub (Jan 29, 2022):

hi guys, i aslo need TLS mutual authentication, then i find this topic.

fortunately, I am familiar with C#.NET on Windows, but I am not familiar with Xamarin.NET on iOS and Android, but I think they are similar.

it is very easy to send http requests with client certificate by HttpClient, i write these code and test it successfully on Windows.

using System;
using System.Threading.Tasks;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates;

namespace HttpClientTest
{
    class Program
    {
        static async Task Main(string[] args)
        {
            string cert = "D:\\HttpClient\\client.p12";    // client certificate signed by CA

            WebRequestHandler handler = new WebRequestHandler();
            X509Certificate2 x509Certificate = new X509Certificate2();
            x509Certificate.Import(cert, "Passowrd", X509KeyStorageFlags.DefaultKeySet);   //password of client.p12
            handler.ClientCertificates.Add(x509Certificate);

            HttpClient hc = new HttpClient(handler);
            string html = await hc.GetStringAsync("https://abc.test.com");    // TLS target site
            Console.WriteLine(html);
            Console.Read();
        }
    }
}

it runs well on my test:

without the client certificate, it returns "HTTP 400 Bad Request" (the same in browser without client certificate).
with the client certificate, it returns the right html from target site.

so, on iOS/Android, the key step is to get the client certificate, then you can send it with HttpClient.

one way to get the client certificate in Bitwarden App, i think it could prompt a certificate list window to let user select his certificate(just like chrome/edge browser);

the other way to get the client certificate, Bitwarden App could use a simple "while" loop to iterate through the certificates installed on mobile device to get the right one which signed by CA(for example: the "Subject Altname" section in client certificate must equal or contains the domain name of the target site)

for the reason i am not familiar with Xamarin on iOS/Android, i hope you guys could continue this work to implement TLS mutual authentication on mobile device, it will be very useful and more and more security.

@kspearrin

@foxfire881 commented on GitHub (Jan 29, 2022): hi guys, i aslo need TLS mutual authentication, then i find this topic. fortunately, I am familiar with C#.NET on Windows, but I am not familiar with Xamarin.NET on iOS and Android, but I think they are similar. it is very easy to send http requests with client certificate by HttpClient, i write these code and test it successfully on Windows. ```csharp using System; using System.Threading.Tasks; using System.Net.Http; using System.Security.Cryptography.X509Certificates; namespace HttpClientTest { class Program { static async Task Main(string[] args) { string cert = "D:\\HttpClient\\client.p12"; // client certificate signed by CA WebRequestHandler handler = new WebRequestHandler(); X509Certificate2 x509Certificate = new X509Certificate2(); x509Certificate.Import(cert, "Passowrd", X509KeyStorageFlags.DefaultKeySet); //password of client.p12 handler.ClientCertificates.Add(x509Certificate); HttpClient hc = new HttpClient(handler); string html = await hc.GetStringAsync("https://abc.test.com"); // TLS target site Console.WriteLine(html); Console.Read(); } } } ``` it runs well on my test: - without the client certificate, it returns "HTTP 400 Bad Request" (the same in browser without client certificate). - with the client certificate, it returns the right html from target site. so, on iOS/Android, the key step is to get the client certificate, then you can send it with HttpClient. one way to get the client certificate in Bitwarden App, i think it could prompt a certificate list window to let user select his certificate(just like chrome/edge browser); the other way to get the client certificate, Bitwarden App could use a simple "while" loop to iterate through the certificates installed on mobile device to get the right one which signed by CA(for example: the "Subject Altname" section in client certificate must equal or contains the domain name of the target site) for the reason i am not familiar with Xamarin on iOS/Android, i hope you guys could continue this work to implement TLS mutual authentication on mobile device, it will be very useful and more and more security. @kspearrin

GiteaMirror commented

@foxfire881 commented on GitHub (Feb 10, 2022):

hi guys, is there any update for this? @kspearrin @vincentsalucci @jlf0dev @eliykat

@foxfire881 commented on GitHub (Feb 10, 2022): hi guys, is there any update for this? @kspearrin @vincentsalucci @jlf0dev @eliykat

GiteaMirror commented

@jiin995 commented on GitHub (Jun 28, 2022):

+1

@jiin995 commented on GitHub (Jun 28, 2022): +1

GiteaMirror commented

@TheAlaine commented on GitHub (Jul 19, 2022):

+1

@TheAlaine commented on GitHub (Jul 19, 2022): +1

GiteaMirror commented

@scottsavarese commented on GitHub (Sep 22, 2022):

@kspearrin , I see folks love to tag you on this thread...

Is the issue with getting this resolved due to not having a good way to test out client certs? I know nothing about developing on an Android (or mobile in general), but would be happy to help in any way I can. I can side load test versions, I can help create a server that you can use to test out client certs. I just really want to see this working. it works with other platforms. No reason it can't work on Android too.

@scottsavarese commented on GitHub (Sep 22, 2022): @kspearrin , I see folks love to tag you on this thread... Is the issue with getting this resolved due to not having a good way to test out client certs? I know nothing about developing on an Android (or mobile in general), but would be happy to help in any way I can. I can side load test versions, I can help create a server that you can use to test out client certs. I just really want to see this working. it works with other platforms. No reason it can't work on Android too.

GiteaMirror commented

@superuser866 commented on GitHub (Nov 24, 2022):

@MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box.
Why does Bitwarden team ignore such an important implementation in those times where security is more important than ever??

@superuser866 commented on GitHub (Nov 24, 2022): @MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box. Why does Bitwarden team ignore such an important implementation in those times where security is more important than ever??

GiteaMirror commented

2025-11-26 22:30:39 -06:00

@dbosompem commented on GitHub (Nov 25, 2022):

Hi all, apologies for all the inconveniences caused. The team will make time and pick this up, and get back to you on what we discover. Thanks for the patience!

@dbosompem commented on GitHub (Nov 25, 2022): Hi all, apologies for all the inconveniences caused. The team will make time and pick this up, and get back to you on what we discover. Thanks for the patience!

GiteaMirror commented

@montdidier commented on GitHub (Nov 26, 2022):

@MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box.

Do you know where his implementation is now? The link he provides goes to 404?

Update. Never mind, it looks like it is here

@montdidier commented on GitHub (Nov 26, 2022): > @MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box. Do you know where his implementation is now? The link he provides goes to 404? **Update**. Never mind, it looks like it is [here](https://github.com/bitwarden/mobile/commit/7fd95c21ab108dba19c5dda14811db5c4fceee25)

GiteaMirror commented

2025-11-26 22:30:39 -06:00

@Pythoner6 commented on GitHub (Dec 23, 2022):

Definitely looking forward to this. I'm self hosting and would much rather only expose that to the internet only behind mutual tls auth.

@Pythoner6 commented on GitHub (Dec 23, 2022): Definitely looking forward to this. I'm self hosting and would much rather only expose that to the internet only behind mutual tls auth.

GiteaMirror commented

2025-11-26 22:30:39 -06:00

@lpcvoid commented on GitHub (Dec 27, 2022):

Absolutely thrilled about seeing progress here. Thanks in advance to the team and everybody involved!

@lpcvoid commented on GitHub (Dec 27, 2022): Absolutely thrilled about seeing progress here. Thanks in advance to the team and everybody involved!

GiteaMirror commented

@leranp commented on GitHub (Jan 1, 2023):

@MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box.

Do know where his implementation is now? The link he provides goes to 404?

Update. Never mind, it looks like it is here

Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate.
Did someone manage to do it?

@leranp commented on GitHub (Jan 1, 2023): > > @MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box. > > Do know where his implementation is now? The link he provides goes to 404? > > **Update**. Never mind, it looks like it is [here](https://github.com/bitwarden/mobile/commit/7fd95c21ab108dba19c5dda14811db5c4fceee25) > Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate. Did someone manage to do it?

GiteaMirror commented

@cpainchaud commented on GitHub (Feb 3, 2023):

I am craving for this as well. Right now I am forced into Wireguard split tunneling instead

@cpainchaud commented on GitHub (Feb 3, 2023): I am craving for this as well. Right now I am forced into Wireguard split tunneling instead

GiteaMirror commented

@montdidier commented on GitHub (Feb 15, 2023):

Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate. Did someone manage to do it?

I never tried his code. I had my own, basically working, for Android then realised the other solution was more elegant as it as was using the native store for the certificates. I started looking at the iOS side but got a new job and whoosh there went my time. When the core team sounded like they were going to pick this up I wasn’t particularly motivated to continue. It does seem to be taking its time to arrive though. 🤔

This is the only missing feature in my want list for this app.

@montdidier commented on GitHub (Feb 15, 2023): > Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate. Did someone manage to do it? I never tried his code. I had my own, basically working, for Android then realised the other solution was more elegant as it as was using the native store for the certificates. I started looking at the iOS side but got a new job and whoosh there went my time. When the core team sounded like they were going to pick this up I wasn’t particularly motivated to continue. It does seem to be taking its time to arrive though. 🤔 This is the only missing feature in my want list for this app.

GiteaMirror commented

2025-11-26 22:30:41 -06:00

@cpainchaud commented on GitHub (Feb 15, 2023):

guys, in the meantime don't expose bitwarden to internet and use Wireguard on your computer+Android. Use split tunneling to send only Bitwarden traffic to it.

@cpainchaud commented on GitHub (Feb 15, 2023): guys, in the meantime don't expose bitwarden to internet and use Wireguard on your computer+Android. Use split tunneling to send only Bitwarden traffic to it.

GiteaMirror commented

@ITTV-tools commented on GitHub (Mar 22, 2023):

Any news on this ?

@ITTV-tools commented on GitHub (Mar 22, 2023): Any news on this ?

GiteaMirror commented

2025-11-26 22:30:41 -06:00

@mpbw2 commented on GitHub (Mar 22, 2023):

Hello all, the work done by @MrLuje looks promising. @MrLuje would you be willing/able to bring your PR up to date so you get credit for the work?

@mpbw2 commented on GitHub (Mar 22, 2023): Hello all, the work done by @MrLuje looks promising. @MrLuje would you be willing/able to bring your PR up to date so you get credit for the work?

GiteaMirror commented

2025-11-26 22:30:41 -06:00

@volmus commented on GitHub (Apr 8, 2023):

@MrLuje Looking forward to hear from you! :-) 🍺

@volmus commented on GitHub (Apr 8, 2023): @MrLuje Looking forward to hear from you! :-) 🍺

GiteaMirror commented

2025-11-26 22:30:42 -06:00

@dayt47 commented on GitHub (Jun 6, 2023):

any updates on this topic?

@dayt47 commented on GitHub (Jun 6, 2023): any updates on this topic?

GiteaMirror commented

2025-11-26 22:30:42 -06:00

@superuser866 commented on GitHub (Jun 7, 2023):

@MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box.

Do know where his implementation is now? The link he provides goes to 404?
Update. Never mind, it looks like it is here

Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate. Did someone manage to do it?

I did it. I have little experience in vb.net but managed somehow to install all the stuff needed and compiled @MrLuje 's code months ago .
It may be an old client version but it works flawlessly.

If you want I can send the compiled APK to you and to others who wish.

@superuser866 commented on GitHub (Jun 7, 2023): > > > @MrLuje has solved this problem 3 years ago. His code is working perfectly out of the box. > > > > > > Do know where his implementation is now? The link he provides goes to 404? > > **Update**. Never mind, it looks like it is [here](https://github.com/bitwarden/mobile/commit/7fd95c21ab108dba19c5dda14811db5c4fceee25) > > Tried to compile with the changes, but it didn't work, the code was changed a lot since than and it can't compile with the add-on of the certificate. Did someone manage to do it? I did it. I have little experience in vb.net but managed somehow to install all the stuff needed and compiled @MrLuje 's code months ago . It may be an old client version but it works flawlessly. If you want I can send the compiled APK to you and to others who wish.

GiteaMirror commented

2025-11-26 22:30:42 -06:00

@scottsavarese commented on GitHub (Jun 7, 2023):

Any chance you can create a new pull request for it? This way the devs can review and merge it.

@scottsavarese commented on GitHub (Jun 7, 2023): Any chance you can create a new pull request for it? This way the devs can review and merge it.

GiteaMirror commented

@ippocratis commented on GitHub (Jun 16, 2023):

@superuser866 did you cherry picked 7fd95c21ab on a bitwarden upstream source?

In that case can create a pull request for it?

I just builded straight from https://github.com/MrLuje/mobile.git

There are like 90 warnings but no errors

The source is outdated of coarse but for the time being I'm OK with it

I just hope @MrLuje or someone else comes with an up to date pull request

@ippocratis commented on GitHub (Jun 16, 2023): @superuser866 did you cherry picked https://github.com/bitwarden/mobile/commit/7fd95c21ab108dba19c5dda14811db5c4fceee25?diff=unified on a bitwarden upstream source? In that case can create a pull request for it? I just builded straight from https://github.com/MrLuje/mobile.git There are like 90 warnings but no errors The source is outdated of coarse but for the time being I'm OK with it I just hope @MrLuje or someone else comes with an up to date pull request

GiteaMirror commented

https://github.com/bitwarden/mobile/assets/4419532/90b4b89e-fbc3-4114-8ab2-72c447223feb

@oguzhane commented on GitHub (Jul 19, 2023):

i've implemented support of mTLS client authentication based off latest code base. see following short demo below.
happy to raise a PR for that.. @kspearrin @mpbw2

@oguzhane commented on GitHub (Jul 19, 2023): i've implemented support of mTLS client authentication based off latest code base. see following short demo below. happy to raise a PR for that.. @kspearrin @mpbw2 https://github.com/bitwarden/mobile/assets/4419532/90b4b89e-fbc3-4114-8ab2-72c447223feb

GiteaMirror commented

@leranp commented on GitHub (Jul 19, 2023):

Great news @oguzhane , can you share it with us?

@leranp commented on GitHub (Jul 19, 2023): Great news @oguzhane , can you share it with us?

GiteaMirror commented

@mpbw2 commented on GitHub (Jul 19, 2023):

@oguzhane That looks fantastic, and we'd be happy to review the PR when you submit it.

@mpbw2 commented on GitHub (Jul 19, 2023): @oguzhane That looks fantastic, and we'd be happy to review the PR when you submit it.

GiteaMirror commented

@ippocratis commented on GitHub (Jul 20, 2023):

@oguzhane the app hangs and crashes while picking up the client certificate from the android cert store
If the file manager is used then it can import the cert corectly

Also note that there is a generic p12 importing issue in recent android versions for certs created with openssl v3
I had to convert it to "legacy" so I could import it

@ippocratis commented on GitHub (Jul 20, 2023): @oguzhane the app hangs and crashes while picking up the client certificate from the android cert store If the file manager is used then it can import the cert corectly Also note that there is a generic p12 importing issue in recent android versions for certs created with openssl v3 I had to convert it to "legacy" so I could import it

GiteaMirror commented

@oguzhane commented on GitHub (Jul 20, 2023):

@ippocratis thanks for testing this out.

To make further investing for installation from system certs. Can i please ask;

Android version
How the cert you picked from system certs installed into there? The changes doesn't support install a cert into system cert store but it supports use installed ones
The cert format in system cert store? the certificate you select from system cert should had been instlled with the private key

if you install a cert in pkcs#12 legacy format to system cert store and then, use it on the app, do you still getting issue?

@oguzhane commented on GitHub (Jul 20, 2023): @ippocratis thanks for testing this out. To make further investing for installation from system certs. Can i please ask; 1) Android version 2) How the cert you picked from system certs installed into there? The changes doesn't support install a cert into system cert store but it supports use installed ones 3) The cert format in system cert store? the certificate you select from system cert should had been instlled with the private key if you install a cert in pkcs#12 legacy format to system cert store and then, use it on the app, do you still getting issue?

GiteaMirror commented

@ippocratis commented on GitHub (Jul 20, 2023):

Android version

Android 13 LineageOS 20 custom rom , rooted

How the cert you picked from system certs installed into there?

Settings >security>encryption and cedentials>install a certificate

The changes doesn't support install a cert into system cert store but it supports use installed ones

Sorry if I wasn't clear.
Thats what I meant.
Entered my email selected selfhosted under region
Continue
Advanced
There are two options under udvanced

Import and use a new certificate
use a system certificate

It is the second option that is failing

Also I forgot to mention that I have to clear app data after that to be able to use the app again

Error on logcat

ANR in com.x8bit.bitwarden (com.x8bit.bitwarden/.MainActivity)
PID: 11537
Reason: Input dispatching timed out (7dec55b com.x8bit.bitwarden/com.x8bit.bitwarden.MainActivity (server) is not responding. Waited 5002ms for MotionEvent)
Parent: com.x8bit.bitwarden/.MainActivity
ErrorId: c6b0539b-84e5-4e5a-84a4-98e40cdcd43f
Frozen: false
Load: 5.08 / 6.51 / 6.4
CPU usage from 1ms to 13916ms later (2023-07-20 18:23:04.612 to 2023-07-20 18:23:18.527):

The cert format in system cert store?

It is a pkcs 12 bundle

the certificate you select from system cert should had been instlled with the private key

Yes

sudo openssl pkcs12 -info -nodes -in /storage/emulated/0/certs/client_cert.p12

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID:reducted
subject=C = gr, ST = gr, L = gr, O = client-cert, OU = ippo, CN = client-cert, emailAddress = reducted
issuer=C = gr, ST = gr, L = gr, O = client-cert, OU = ippo, CN = client-cert, emailAddress = reducted
-----BEGIN CERTIFICATE-----
Reducted
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
    localKeyID: reducted
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
Reducted
-----END PRIVATE KEY-----

if you install a cert in pkcs#12 legacy format to system cert store and then, use it on the app, do you still getting issue?

The "original" pkcs12 cant be saved in the android system store
It is password protected and the system can't decrypt the password

The legacy cert is installed on android certificate store
And the one that crashes the app if the second option is used (as described above)

@ippocratis commented on GitHub (Jul 20, 2023): > 1) Android version Android 13 LineageOS 20 custom rom , rooted > > 2) How the cert you picked from system certs installed into there? Settings >security>encryption and cedentials>install a certificate > The changes doesn't support install a cert into system cert store but it supports use installed ones Sorry if I wasn't clear. Thats what I meant. Entered my email selected selfhosted under region Continue Advanced There are two options under udvanced - Import and use a new certificate - use a system certificate It is the second option that is failing Also I forgot to mention that I have to clear app data after that to be able to use the app again Error on logcat ``` ANR in com.x8bit.bitwarden (com.x8bit.bitwarden/.MainActivity) PID: 11537 Reason: Input dispatching timed out (7dec55b com.x8bit.bitwarden/com.x8bit.bitwarden.MainActivity (server) is not responding. Waited 5002ms for MotionEvent) Parent: com.x8bit.bitwarden/.MainActivity ErrorId: c6b0539b-84e5-4e5a-84a4-98e40cdcd43f Frozen: false Load: 5.08 / 6.51 / 6.4 CPU usage from 1ms to 13916ms later (2023-07-20 18:23:04.612 to 2023-07-20 18:23:18.527): ``` ![logcat_07-20-2023_19-01-51.txt](https://github.com/bitwarden/mobile/files/12111710/logcat_07-20-2023_19-01-51.txt) > 3) The cert format in system cert store? It is a pkcs 12 bundle > the certificate you select from system cert should had been instlled with the private key Yes `sudo openssl pkcs12 -info -nodes -in /storage/emulated/0/certs/client_cert.p12` ``` MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Certificate bag Bag Attributes localKeyID:reducted subject=C = gr, ST = gr, L = gr, O = client-cert, OU = ippo, CN = client-cert, emailAddress = reducted issuer=C = gr, ST = gr, L = gr, O = client-cert, OU = ippo, CN = client-cert, emailAddress = reducted -----BEGIN CERTIFICATE----- Reducted -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Bag Attributes localKeyID: reducted Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- Reducted -----END PRIVATE KEY----- ``` > if you install a cert in pkcs#12 legacy format to system cert store and then, use it on the app, do you still getting issue? The "original" pkcs12 cant be saved in the android system store It is password protected and the system can't decrypt the password The legacy cert is installed on android certificate store And the one that crashes the app if the second option is used (as described above)

GiteaMirror commented

@oguzhane commented on GitHub (Jul 21, 2023):

I'm able to install a certificate to system store and use it from the app. The system was able to decrypt the cert and the app can pick this one up to use. # 1 # 2 # 3 # 4

$ openssl pkcs12 -info -nodes -in client.b.pfx

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
...
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

I think the issue here seem to be either your cert's encryption type not supported or related to LineageOS.

Following is commands i use to generate client certificate from ca. it produces pem file. you have to convert to pfx that recognized by Android.

$ openssl version
OpenSSL 1.1.1l  24 Aug 2021

  openssl genrsa -out client.key 2048
  openssl req -new -key client.key -days 3650 -out client.csr \
    -subj "/C=SO/ST=Earth/L=Mountain/O=$O/OU=$OU/CN=localhost"
  openssl x509  -req -in client.csr \
    -extfile <(printf "subjectAltName=DNS:localhost") \
    -CA ca.crt -CAkey ca.key -out client.crt -days 3650 -sha256 -CAcreateserial
  cat client.crt client.key > client.pem

@oguzhane commented on GitHub (Jul 21, 2023): I'm able to install a certificate to system store and use it from the app. The system was able to decrypt the cert and the app can pick this one up to use. [# 1](https://github.com/bitwarden/mobile/assets/4419532/e9db24ed-a3d9-4012-92dd-bb29480c3e6b) [# 2](https://github.com/bitwarden/mobile/assets/4419532/814f198f-b3c5-438a-8483-ff90310faf5f) [# 3](https://github.com/bitwarden/mobile/assets/4419532/6a8f3040-46aa-48b9-8a3f-3e9fe8edd75b) [# 4](https://github.com/bitwarden/mobile/assets/4419532/06777784-4623-4d1e-b318-5ee18b3845a9) `$ openssl pkcs12 -info -nodes -in client.b.pfx` ``` MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 ... PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 ``` I think the issue here seem to be either your cert's encryption type not supported or related to LineageOS. Following is commands i use to generate client certificate from ca. it produces pem file. you have to convert to pfx that recognized by Android. ``` $ openssl version OpenSSL 1.1.1l 24 Aug 2021 ``` ``` openssl genrsa -out client.key 2048 openssl req -new -key client.key -days 3650 -out client.csr \ -subj "/C=SO/ST=Earth/L=Mountain/O=$O/OU=$OU/CN=localhost" openssl x509 -req -in client.csr \ -extfile <(printf "subjectAltName=DNS:localhost") \ -CA ca.crt -CAkey ca.key -out client.crt -days 3650 -sha256 -CAcreateserial cat client.crt client.key > client.pem ```

GiteaMirror commented

2025-11-26 22:30:45 -06:00

@vvolkgang commented on GitHub (Jun 20, 2024):

Issue migrated to https://github.com/bitwarden/mobile/issues/582

@vvolkgang commented on GitHub (Jun 20, 2024): Issue migrated to https://github.com/bitwarden/mobile/issues/582

GiteaMirror commented

@kuolemaaa commented on GitHub (Nov 25, 2024):

is there an update for this? I got
Exception message: Read error: [...] Failure in SSL library, usually a protocol error [...] TLSV1_ALERT_CERTIFICATE_REQUIRED [...]
I use an installed p12 certificate on chrome and it works there, not on bitwarden app (latest from playstore).
MIUI 14
Android 13

@kuolemaaa commented on GitHub (Nov 25, 2024): is there an update for this? I got `Exception message: Read error: [...] Failure in SSL library, usually a protocol error [...] TLSV1_ALERT_CERTIFICATE_REQUIRED [...]` I use an installed p12 certificate on chrome and it works there, not on bitwarden app (latest from playstore). MIUI 14 Android 13

GiteaMirror commented

2025-11-26 22:30:45 -06:00

@mathieuruellan commented on GitHub (Nov 27, 2024):

@kuolemaaa i've the same issue.

@mathieuruellan commented on GitHub (Nov 27, 2024): @kuolemaaa i've the same issue.

GiteaMirror commented

2025-11-26 22:30:46 -06:00

@vvolkgang commented on GitHub (Nov 27, 2024):

👋🏾 The original issue here was in the legacy apps that were moved to bitwarden/mobile, if this is happening in the new native app please create a new bug report and we'll look into it!

@vvolkgang commented on GitHub (Nov 27, 2024): 👋🏾 The original issue here was in the legacy apps that were moved to bitwarden/mobile, if this is happening in the new native app please create a new bug report and we'll look into it!

GiteaMirror commented

2025-11-26 22:30:46 -06:00

@kuolemaaa commented on GitHub (Nov 27, 2024):

@vvolkgang just for clarification:

Isnt bitwarden/android the new native app?
Is this closed because OP talked about the old bitwarden/mobile project ?

As far as I can understand there is already an issue for mTLS in bitwarden/mobile here https://github.com/bitwarden/mobile/issues/582

An AFAICU there are problems with mTLS in the new bitwarden/android native app (basically not supported at all).
Also there is a closed/not merged Pull Request for that here https://github.com/bitwarden/android/pull/2629#issuecomment-1881333854 with that comment telling users something about PR not in the direction of the project and stuff.

Do we need to reopen an issue for mTLS support for bitwarden/android ? Is it necessary ?

@kuolemaaa commented on GitHub (Nov 27, 2024): @vvolkgang just for clarification: - Isnt bitwarden/android the new native app? - Is this closed because OP talked about the old bitwarden/mobile project ? As far as I can understand there is already an issue for mTLS in bitwarden/mobile here https://github.com/bitwarden/mobile/issues/582 An AFAICU **there are problems** with mTLS in the new bitwarden/android native app (basically not supported at all). Also there is a closed/not merged Pull Request for that here https://github.com/bitwarden/android/pull/2629#issuecomment-1881333854 with that comment telling users something about PR not in the direction of the project and stuff. Do we need to reopen an issue for mTLS support for bitwarden/android ? Is it necessary ?

GiteaMirror commented

2025-11-26 22:30:46 -06:00

@vvolkgang commented on GitHub (Nov 27, 2024):

This repo used to be bitwarden/mobile and was renamed to bitwarden/android, everything was migrated to the new bitwarden/mobile but you'll still find old references here too. This issue was automatically closed during that migration process. I know this is confusing but I hope that explains it.

Those statements were regarding the legacy codebase and don't apply to the new native app. We do need to look into mTLS support, it's something I'm personally interested in but haven't had time for it yet. Creating a new issue will help track it, yes. Contributions will be welcomed!

@vvolkgang commented on GitHub (Nov 27, 2024): This repo used to be bitwarden/mobile and was renamed to bitwarden/android, everything was migrated to the new bitwarden/mobile but you'll still find old references here too. This issue was automatically closed during that migration process. I know this is confusing but I hope that explains it. Those statements were regarding the legacy codebase and don't apply to the new native app. We do need to look into mTLS support, it's something I'm personally interested in but haven't had time for it yet. Creating a new issue will help track it, yes. Contributions will be welcomed!

GiteaMirror commented

2025-11-26 22:30:47 -06:00

@kuolemaaa commented on GitHub (Nov 27, 2024):

I know this is confusing

yea

but I hope that explains it.

partly

So:
This issue, opened in 2019, in this repo, refers to the old C# app.
In 2019, this repo was for the C# app and was called bitwarden/mobile, now it hosts the kotlin (new, android only) one since v 2024.10.1 (19388) of the 30 Oct 2024.
So, in that day, you renamed mobile->android, created a new mobile repo and filled with the C# content.

If this is correct I would write a statement and completely block any new message in this issue and maybe also in the other issues in this repo referring to the old c# app.

What did you accomplished with such operation? What was the purpose? Just for curiosity

@kuolemaaa commented on GitHub (Nov 27, 2024): > I know this is confusing yea > but I hope that explains it. partly So: This issue, opened in 2019, in this repo, refers to the old C# app. In 2019, this repo was for the C# app and was called `bitwarden/mobile`, now it hosts the kotlin (new, android only) one since v 2024.10.1 (19388) of the 30 Oct 2024. So, in that day, you renamed `mobile->android`, created a new `mobile` repo and filled with the C# content. If this is correct I would write a statement and completely block any new message in this issue and maybe also in the other issues in this repo referring to the old c# app. What did you accomplished with such operation? What was the purpose? Just for curiosity

GiteaMirror commented

2025-11-26 22:30:47 -06:00

@vvolkgang commented on GitHub (Nov 27, 2024):

Correct. The goal was to keep some of the repo metadata. I'll look into mass locking old issues, thanks for the suggestion!

@vvolkgang commented on GitHub (Nov 27, 2024): Correct. The goal was to keep some of the repo metadata. I'll look into mass locking old issues, thanks for the suggestion!

GiteaMirror commented

2025-11-26 22:30:47 -06:00

@scottsavarese commented on GitHub (Nov 27, 2024):

Those statements were regarding the legacy codebase and don't apply to the new native app. We do need to look into mTLS support, it's something I'm personally interested in but haven't had time for it yet. Creating a new issue will help track it, yes. Contributions will be welcomed!

@vvolkgang, I know very little about Android development. But, I'm happy to help in any way. At the very least, I can test versions someone builds against my mTLS setup at home if you need. And if someone wants to spend some time showing me how to build the software I can try to take a stab at coding it. (I mean this isn't the first time someone is doing this. There has to be an example elsewhere to copy from, right?)

@scottsavarese commented on GitHub (Nov 27, 2024): > Those statements were regarding the legacy codebase and don't apply to the new native app. We do need to look into mTLS support, it's something I'm personally interested in but haven't had time for it yet. Creating a new issue will help track it, yes. Contributions will be welcomed! @vvolkgang, I know very little about Android development. But, I'm happy to help in any way. At the very least, I can test versions someone builds against my mTLS setup at home if you need. And if someone wants to spend some time showing me how to build the software I can try to take a stab at coding it. (I mean this isn't the first time someone is doing this. There has to be an example elsewhere to copy from, right?)

GiteaMirror commented

2025-11-26 22:30:48 -06:00

@rohm1 commented on GitHub (Nov 27, 2024):

I have started working on it, I've patched the SDK locally and can build everything. I'm able to send requests to my server from the app (built locally, running in the emulator, certificate hardcoded in the SDK), I now need to make some UI to select the certificate, and send it as setting to the SDK. Expect some PRs in the next weeks :)

@rohm1 commented on GitHub (Nov 27, 2024): I have started working on it, I've patched the SDK locally and can build everything. I'm able to send requests to my server from the app (built locally, running in the emulator, certificate hardcoded in the SDK), I now need to make some UI to select the certificate, and send it as setting to the SDK. Expect some PRs in the next weeks :)

GiteaMirror commented

2025-11-26 22:30:48 -06:00

@scottsavarese commented on GitHub (Nov 27, 2024):

@rohm1 , Awesome. Let me know if I can help test anything.

@scottsavarese commented on GitHub (Nov 27, 2024): @rohm1 , Awesome. Let me know if I can help test anything.

GiteaMirror commented

2025-11-26 22:30:48 -06:00

@superuser866 commented on GitHub (Nov 27, 2024):

@rohm1 this is great news thank you very much.
Hope Bitwarden team will integrate your work as soon as possible as it was a big missing on this app!
@kspearrin

@superuser866 commented on GitHub (Nov 27, 2024): @rohm1 this is great news thank you very much. Hope Bitwarden team will integrate your work as soon as possible as it was a big missing on this app! @kspearrin

GiteaMirror commented

@kuolemaaa commented on GitHub (Nov 27, 2024):

@rohm1 Nice!

I want to point out this comment https://github.com/bitwarden/android/pull/2629#issuecomment-2121008107 about the usage of android system certificate storage in Home Assistant app that works really well

@kuolemaaa commented on GitHub (Nov 27, 2024): @rohm1 Nice! I want to point out this comment https://github.com/bitwarden/android/pull/2629#issuecomment-2121008107 about the usage of android system certificate storage in Home Assistant app that works really well

GiteaMirror commented

@ippocratis commented on GitHub (Nov 27, 2024):

Why I have the feeling we are going to the same loop again.
Devs have been contributing to this feature request for year and the bitwarden team refused to merge their pull requests for no reason.
What makes you think they will merge them now.

@ippocratis commented on GitHub (Nov 27, 2024): Why I have the feeling we are going to the same loop again. Devs have been contributing to this feature request for year and the bitwarden team refused to merge their pull requests for no reason. What makes you think they will merge them now.

GiteaMirror commented

@kuolemaaa commented on GitHub (Nov 27, 2024):

I'm not sure but it I think you are referring to attempts made for the C# version on the app. The point here is keeping in mind the fact that the switch to kotlin was made very recently and possibly there is room for such contibution.

That PR I referred to has the very same history of this issue.

@kuolemaaa commented on GitHub (Nov 27, 2024): I'm not sure but it I think you are referring to attempts made for the C# version on the app. The point here is keeping in mind the fact that the switch to kotlin was made very recently and possibly there is room for such contibution. That PR I referred to has the very same history of this issue.

GiteaMirror commented