Jump to content

Emby Android and Client Certificate Authentication


soloam

Recommended Posts

soloam
Hello, I wanted I have my emby server running on a server that is accessed by a reverse proxy. This allows me to have multiple domains (other services) under the same IP address. This works great, and I have it running for some time now.

 

Now I would like to enhance the security by adding a required Client Certificate Authentication, so that only authorised personal have access to the server. I configured it on the reverse proxy, and now when I access the server by the Webbrowser (desktop and android) it works, only people that have the certificate installed can communicate with the server. But the app does not work. When I access by the browser it asks me what is the client certificate to use, but in the app I simply can't connect.

 

Is this possible? Or I have some miss configuration?

 

Thank you

Edited by soloam
Link to comment
Share on other sites

Hi, I'm afraid we've never tested this requirement in the android app before. Additionally we also configure the http server to not require client certificate validation, so what you're looking for would require server-side changes anyway.

Link to comment
Share on other sites

soloam

But this works 100% on the browser, on my desktop and my android phone. The problem is the app's, they don't take into account the client certificate authentication. Please note that all this is done on the reverse proxy side, nothing needs to be changed on emby server. 

Link to comment
Share on other sites

  • 3 years later...
EmbyForEver

Hi I see there is no much activity on this topic, but I would also feel much more comfortable to enable client side certificate support in Emby android App.

For instance Chrome is supporting it, you simply have to install client certificate in Android certificate store and then applications can use it. For instance this blog post to see to support this in the Android App. https://chariotsolutions.com/blog/post/https-with-client-certificates-on/

Looks like a relatively contained change that would add great security value!!

Any chance this feature request could be considered? Any way we could help?

Thx!

Link to comment
Share on other sites

7 hours ago, EmbyForEver said:

Hi I see there is no much activity on this topic, but I would also feel much more comfortable to enable client side certificate support in Emby android App.

For instance Chrome is supporting it, you simply have to install client certificate in Android certificate store and then applications can use it. For instance this blog post to see to support this in the Android App. https://chariotsolutions.com/blog/post/https-with-client-certificates-on/

Looks like a relatively contained change that would add great security value!!

Any chance this feature request could be considered? Any way we could help?

Thx!

HI, yes it's possible for the future. Thanks for the feedback.

Link to comment
Share on other sites

  • 10 months later...
5 hours ago, xxxAyxxx said:

Hello to all,

I'm also interested in supporting MTLS.

@LukeIs there a future plan to support it on Clients Apps (Emby Theater & TV App)?

 

That will also depend on platform support, but for the platforms that do support it, yes we can look into it in future updates. Thanks.

Link to comment
Share on other sites

  • 1 year later...
MacroMars

I am in the process of putting some of my services online and would like to secure them with client certificates. Therefore I would also be very interested in this feature :)

Link to comment
Share on other sites

  • 3 weeks later...
Mdaloha77

Hello,

its 2024, is there any progress in this matter? I as many others using client ssl certs for allowing my users to access my emby. Its working ok In browsers on desktop or android, but emby app doesnt care about internal cert storage. I would like native android app expirience for my android users, instead of forcing them to use chrome.

You got all components already in place(android cert storage), just add option in emby client "add server" section to choose from installed certs in phone cert storage. Thats all.

Thank you.

Edited by Mdaloha77
Link to comment
Share on other sites

4 hours ago, Mdaloha77 said:

Hello,

its 2024, is there any progress in this matter? I as many others using client ssl certs for allowing my users to access my emby. Its working ok In browsers on desktop or android, but emby app doesnt care about internal cert storage. I would like native android app expirience for my android users, instead of forcing them to use chrome.

You got all components already in place(android cert storage), just add option in emby client "add server" section to choose from installed certs in phone cert storage. Thats all.

Thank you.

Hi there, can you please describe your issue in more detail? Thanks.

Link to comment
Share on other sites

Mdaloha77

Its all about getting the emby android client aware of internal phone certificates and ability of emby client to recognize this when connecting to emby server behind ssl proxy, that it needs to pickup already installed client ssl certificate on phone. Chrome on android support this(firefox no), but both those browser on desktop working with client certs for decades. Its not that exotic as you may think. When browser go to https://abc.de it will recognize, that this web server asking him to send him his ssl client cert to be able make connection aka client handshake.

Client Handshake

In a client handshake, after the client hello and server hello messages, the server requires the client to present itself with a certificate. The server then verifies it, and encryption takes place through symmetric encryption.

image.png.dd83aa0080f39643c0b5e4df6c2d5cd0.png
https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html

https://cheapsslsecurity.com/p/what-is-ssl-client-certificate-authentication-and-how-does-it-work/

 

 

 

Link to comment
Share on other sites

That’s something we can look at supporting. Thanks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...