Greetings. For quite a while, I’ve been running a local tt-rss instance on an old mac mini I secured by making it LAN only. This meant whenever I wanted to connect in through my phone, I’d have to use a VPN, which isn’t always ideal.
Following a recent acquisition and setup of a nice big hypervisor server, I decided to move my instance over to the new hardware, and actually put the time into securing it properly with TLS and client certs.
I prefer client certificates for a few reasons, similar to why one might want to use a private key for SSH style authentication. It’s one of the most solid security mechanisms, and gives me the least amount of worry when putting a web application on the greater net.
While I have my own setup working perfectly fine, ttrss does seem to have built in support for managing client cert auth in the UI, with a place in Preferences to upload (what seems to be) a CA cert, and a wiki article which describes how to do it when running nginx/Debian: https://tt-rss.org/wiki/SSL%20Certificate%20Authentication
While this is all well and good for desktop and mobile browsers, the ttrss client for Android does not seem to retrieve client certs from the system store, nor attempt authentication with them in code, and that’s what I’m hoping someone here can help me (and hopefully there’s at least one other person in the world who’s doing this) out.
I do not wish to ask without showing I have at least looked into the feature myself, and if really nobody here has the time, I’m still tempted to try and implement this myself. The reason I ask is because I am not a Java nor Android developer. I’ve played around with both in the past, but would rather someone familiar with the project (and who already has the build environment up and running) implement what is a security measure, lest I mess it up for everybody.
That being said, it doesn’t seem to be too complicated. Quick googling says okhttp3 seems to have support for this, and should be able to read certs from the system’s store. I don’t know if there is a system UI that could be used upon first connect to select the right certificate, as Chrome seems to use something that looks like one for the same purpose.
I greatly appreciate any time put into reading this, it’s a complicated request, so I apologize for the longer post. ttrss has been my rehab from twitter for months, and is something I use every single day, multiple times.