How can I have CouchBase Lite present a Client certificate to my server?

opic · November 19, 2015, 10:59am

In a project, the customer requires that all SSL/TLS communication between the mobile and the server should be authentified by a Client Certificate. This client certificate (a .P12/PFX) must be used by the CBLreplicator… Can we do that ?

RainerG · July 5, 2017, 1:57pm

I believe the currently released Couchbase Lite product (1.4.0) cannot use mutual auth on the TLS connection to Sync Gateway.
How about the upcoming version 2.0 ? Is it on the roadmap ?

priya.rajagopal · July 5, 2017, 5:06pm

Are you looking to supporting this in P2P configurations or are you looking to supporting client certs that are verified by the SG/server ? We have plans of supporting client certs in CBM 2.0… Tagging @jens for his input.

jens · July 5, 2017, 5:37pm

Could you clarify what you mean by “mutual auth”? Are you referring to TLS client certificates?

RainerG · July 6, 2017, 7:16am

Correct. I meant the HTTP client in CB Lite presenting a client certificate to the Sync Gateway server.

On the server side we have various options for verifying the client cert: Either SG has a feature to let me specify the validity criteria, or we could leave the verification to a firewall appliance (like BIG-IP by F5), which would sit in front of Sync Gateway.

Good to hear that it’s planned for CBM 2.0.

Thanks for the quick response.

jens · July 6, 2017, 5:13pm

Couchbase Lite 1.x for iOS/Mac supports client cert authentication; see the following method in CBLAuthenticator:

/** Creates an authenticator that uses an SSL/TLS client certificate.
    @param identity  The identity certificate plus private key
    @param certs  Any additional CA certs needed to establish the chain of authority. */
+ (id<CBLAuthenticator>) SSLClientCertAuthenticatorWithIdentity: (SecIdentityRef)identity
                                                supportingCerts: (nullable NSArray*)certs;

RainerG · July 28, 2017, 11:42am

@jens, is client cert authentication coming to CB Lite.net in 2.0 ? My application is written in Xamarin.Forms, it targets Android, iOS and UWP.

borrrden · July 28, 2017, 11:59am

Funny you should mention that. It just went in today but I’m not sure how to test it yet. From now on we aim to have complete parity so whenever a feature shows up (unless it is REALLY platform specific) it will be in all platforms.

jens · July 31, 2017, 3:54pm

@borrrden — Unfortunately client-cert auth is one of those really platform-specific things, since it happens during the SSL handshake. The implementation I checked in works with Apple’s NSURLSession. You’d need to create a different implementation that works with .NET’s SSL API.

borrrden · July 31, 2017, 8:51pm

Right, and I did. What I meant by platform specific was stuff like data protection etc that doesn’t exist on others.