mTLS RequireAndVerify and iOS

ViViDboarder · December 16, 2020, 8:52pm

Hey folks,

I've been trying to debug getting mTLS working with an iOS client, but haven't found any luck.

I've succesfully generated certs and they work on macOS (Safari, and Firefox) as well as curl, but when I try to connect via Safari on iOS my traefik logs are flooded with repeated http: TLS handshake error from <ip>: tls: client didn't provide errors.

My configuration is as follows:

[tls.options]
  [tls.options.client]
    [tls.options.client.clientAuth]
      # in PEM format. each file can contain multiple CAs.
      caFiles = ["/client_ca.crt"]
      clientAuthType = "RequireAndVerifyClientCert"

And the service hosting has the following label: traefik.http.routers.traefikDash.tls.options=client@file.

Has anyone seen this or gotten it to work?

Dan3424 · May 7, 2024, 11:14am

I opened a feature request for this on GitHub. For anyone reading this and is interested in this feature please go like and comment on the feature request so it gains traction.

github.com/traefik/traefik

Traefik should prompt for MTLs client certificates in the browser

opened 12:43AM - 20 Apr 24 UTC

Daniel-dev22

kind/proposal area/tls

### Welcome! - [X] Yes, I've searched similar issues on [GitHub](https://gith…ub.com/traefik/traefik/issues) and didn't find any. - [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you expect to see? I'm not sure how Cloudflare does it but when using MTLs in Cloudflare a certificate prompt occurs. Cloudflare isn't the only service that implements this correctly. A quick Google search for "browser MTLs prompt" will show what I'm referring to. Traefik never prompts for a certificate resulting in it failing with `ERR_BAD_SSL_CLIENT_AUTH_CERT` Similar issues have been posted in the past however for some reason this still hasn't been implemented. Essentially limiting MTLs to server to server communication vs also being compatible with clients such as end user devices. It's surprisingly hard to find how Cloudflare even does this. Not sure this is the same thing as the server requesting this since this seems more frontend related and what Cloudflare and others do is not frontend related it happens before frontend connection even occurs. https://www.electronjs.org/docs/latest/api/app#event-select-client-certificate Here's how the prompt looks. ![Screenshot_20240419_205422_Key Chain](https://github.com/traefik/traefik/assets/47092714/775be52f-1daf-4bbc-b6d1-4635e0a91e87)

Topic		Replies	Views
Client with no certs still has access to Traefik in RequireAndVerifyClientCert Traefik v2 docker , file	4	253	January 11, 2024
ClientAuth RequireAndVerifyClientCert not requesting client certificate Traefik v2 kubernetes-crd	3	546	May 7, 2024
mTLS in browser (chrome, firefox,...) as client doesn't work! Traefik v2 file	3	4183	May 7, 2024
Traefik not loading client certificate for mTLS Traefik v2 tcp	3	561	July 26, 2023
mTLS VerifyClientCertIfGiven, authentication fallback Traefik v2 docker , file	1	521	July 6, 2020

mTLS RequireAndVerify and iOS

Related Topics