Searching for experiences with mutual TLS and OH

Hi,

in the next weeks, I would like to apply some more security measures at my OH setup. In this context, I’m searching (among other things) for some experiences with mutual TLS, e.g. using server and client certificates. Therefore …

  • Does anyone have enabled mutual TLS in his setup?
  • If yes, how was the server side TLS-enabled via Jetty or Nginx?
  • I’m using Browser-based MainUI and on mobile devices the Android App. Are there any problems when using the Android App?
  • … any other obstacles?

Thank you for any hints resp. experiences!!

I’ve no direct experience but I believe you’ll need to establish the server side in a reverse proxy in nginx.

In the Android app there is a place to add the client certificate.

There is a tutorial at Using NGINX Reverse Proxy for client certificate authentication - start discussion

Hi @rlkoshak ,

thank you for your reply!

Yes, I know that page, it is one reason why I open this topic here. Afaik a reverse proxy is used to hide different servers from the clients’ perspective. In case of TLS it looks for me like a workaround - but I’m not an expert. Therefore I asked for some feedback to get a better gut feeling about that.

It does way more than that and it is pretty standard to have the reverse proxy implement TLS, authentication/authorization (i.e. your client certificate), load balancing, entry point to a DMZ, and more.

It’s not a work around, it’s the standard way to expose a service to the Internet or even Intranet.