How can I have CouchBase Lite present a Client certificate to my server?

In a project, the customer requires that all SSL/TLS communication between the mobile and the server should be authentified by a Client Certificate. This client certificate (a .P12/PFX) must be used by the CBLreplicator… Can we do that ?

I believe the currently released Couchbase Lite product (1.4.0) cannot use mutual auth on the TLS connection to Sync Gateway.
How about the upcoming version 2.0 ? Is it on the roadmap ?

Are you looking to supporting this in P2P configurations or are you looking to supporting client certs that are verified by the SG/server ? We have plans of supporting client certs in CBM 2.0… Tagging @jens for his input.

Could you clarify what you mean by “mutual auth”? Are you referring to TLS client certificates?

Correct. I meant the HTTP client in CB Lite presenting a client certificate to the Sync Gateway server.

On the server side we have various options for verifying the client cert: Either SG has a feature to let me specify the validity criteria, or we could leave the verification to a firewall appliance (like BIG-IP by F5), which would sit in front of Sync Gateway.

Good to hear that it’s planned for CBM 2.0.

Thanks for the quick response.

1 Like

Couchbase Lite 1.x for iOS/Mac supports client cert authentication; see the following method in CBLAuthenticator:

/** Creates an authenticator that uses an SSL/TLS client certificate.
    @param identity  The identity certificate plus private key
    @param certs  Any additional CA certs needed to establish the chain of authority. */
+ (id<CBLAuthenticator>) SSLClientCertAuthenticatorWithIdentity: (SecIdentityRef)identity
                                                supportingCerts: (nullable NSArray*)certs;

@jens, is client cert authentication coming to CB in 2.0 ? My application is written in Xamarin.Forms, it targets Android, iOS and UWP.

Funny you should mention that. It just went in today but I’m not sure how to test it yet. From now on we aim to have complete parity so whenever a feature shows up (unless it is REALLY platform specific) it will be in all platforms.

@borrrden — Unfortunately client-cert auth is one of those really platform-specific things, since it happens during the SSL handshake. The implementation I checked in works with Apple’s NSURLSession. You’d need to create a different implementation that works with .NET’s SSL API.

Right, and I did. What I meant by platform specific was stuff like data protection etc that doesn’t exist on others.