Skip to content

Better mTLS support#22768

Closed
denysvitali wants to merge 5 commits intoimmich-app:mainfrom
denysvitali:feature/mtls-okhttp
Closed

Better mTLS support#22768
denysvitali wants to merge 5 commits intoimmich-app:mainfrom
denysvitali:feature/mtls-okhttp

Conversation

@denysvitali
Copy link

@denysvitali denysvitali commented Oct 8, 2025

Description

As per #15230 - the mTLS support (and User-CA support) in Immich is rather poor.
This PR (DRAFT!) will fix these issues by integrating ok_http and using the Android trust store.

Fixes #15230

This PR depends on two PRs opened at dart-lang/http:

How Has This Been Tested?

N/A

Screenshots (if appropriate)

Checklist:

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if applicable
  • I have no unrelated changes in the PR.
  • I have confirmed that any new dependencies are strictly necessary.
  • I have written tests for new code (if applicable)
  • I have followed naming conventions/patterns in the surrounding code
  • All code in src/services/ uses repositories implementations for database calls, filesystem operations, etc.
  • All code in src/repositories/ is pretty basic/simple and does not have any immich specific logic (that belongs in src/services/)

Please describe to which degree, if any, an LLM was used in creating this pull request.

Extensively. Mostly Z.AI GLM 4.6.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Label error. Requires exactly 1 of: changelog:.*. Found: 📱mobile. A maintainer will add the required label.

andymule added a commit to andymule/immich that referenced this pull request Dec 1, 2025
Security improvements:
- Android: Certificates stored in Android KeyStore (hardware-backed when available)
  - Private keys never leave the KeyStore
  - More secure than storing raw bytes in app storage
- iOS: Certificates stored in iOS Keychain
  - Widget extension support via shared Keychain access group

Architecture improvements:
- SSLHttpClient factory for unified SSL configuration
- Compute isolate for certificate loading (no main thread jank)
- Error display screen for initialization failures
- Platform-aware certificate storage abstraction

Features:
- Full mTLS support for Android and iOS
- iOS Widget Extension support (SSLURLSession)
- User-installed CA certificate trust via network_security_config
- Self-signed certificate bypass option (for trusted networks)

For mTLS to work:
1. Install CA certificate on device
   - Android: Settings → Security → Install certificates
   - iOS: Install profile, then Settings → General → About → Certificate Trust Settings
2. Import client certificate (.p12) in Immich app settings
3. Connect to mTLS-enabled server endpoint

Builds on PR immich-app#22768 concepts with improved security model.
andymule added a commit to andymule/immich that referenced this pull request Dec 1, 2025
Security improvements:
- Android: Certificates stored in Android KeyStore (hardware-backed when available)
  - Private keys never leave the KeyStore
  - More secure than storing raw bytes in app storage
- iOS: Certificates stored in iOS Keychain
  - Widget extension support via shared Keychain access group

Architecture improvements:
- SSLHttpClient factory for unified SSL configuration
- Compute isolate for certificate loading (no main thread jank)
- Error display screen for initialization failures
- Platform-aware certificate storage abstraction

Features:
- Full mTLS support for Android and iOS
- iOS Widget Extension support (SSLURLSession)
- User-installed CA certificate trust via network_security_config
- Self-signed certificate bypass option (for trusted networks)

For mTLS to work:
1. Install CA certificate on device
   - Android: Settings → Security → Install certificates
   - iOS: Install profile, then Settings → General → About → Certificate Trust Settings
2. Import client certificate (.p12) in Immich app settings
3. Connect to mTLS-enabled server endpoint

Builds on PR immich-app#22768 concepts with improved security model.
@shenlong-tanwen
Copy link
Member

@denysvitali Please open a new PR when the implementation is stable. In its current form, it doesn’t address the underlying issue and contains significant implementation flaws, so we can’t proceed with it as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[META] Experimental network features

2 participants