How to get waterfly-III to use mtls certificates?

[anuneo]

I love you waterfly-III. Thanks for all your efforts.

My firefly-iii instance is accessible via a cloudflare tunnel. I have used mtls certificates to restrict access to the applications behind the tunnels. It has worked well for other applications so far. I would like to do the same for firefly-iii. While this works perfectly when I try to access firefly via a browser, I can't get it work with waterfly-III. When I open waterfly, there is no prompt to select a certificate. How can this be enabled?

Thank you!

[dreautall]

Hi, thank you for the kind words! And sorry for the bad news below 🥲

I switched to cronet_http as the HTTP implementation, basically: Android native Chrom(e/ium). As such, the app only allows security stuff the OS can handle. Custom Certificates need to be in the Android Cert Store etc. The reason for the switch was broader compatibility (for example for people using the Android cert store stuff, Proxies etc.) and no "hand-made crypto" in my app. However, as far as I understand, this does not support Client Certificates at all (nor does it allow a blanket "allow all bad server certificates" option).

There is some stuff ongoing in dart-lang/http#1237 to make ok_http (another HTTP implementation) as a package provided by the dart http team itself, which (once that PR is implemented) would support more advanced options like client certificates and might actually be worth switching to from Cronet.

Until something like this is implemented I don't think I can make you happy, sorry 😞 The only "workaround" is to exclude the api endpoint (/api/ path) from the mTLS requirement, as that path should be secure (no calls without valid API key allowed - if you trust Firefly).

[anuneo]

Thank you @dreautall for the explanation. I look forward to the switch to ok_http, when it becomes ready.

Keep up the good work!