mTLS Connectivity for Music Providers

voc0der · April 29, 2025, 12:02pm

Feature description:

Allow providing/uploading a client certificate to authenticate with a source (e.g. subsonic) using mutual tls (mTLS).

Problem solved:

If a service is only available with a client certificate, you cannot access it with Symfonium.

Brought benefits:

This allows people to more securely self host services not on a VPN but with similar security.

Other application solutions:

See:

github.com/bitwarden/android

[PM-16157] Support self-host servers using TLS with Client Authentication (mTLS) (#4486)

main ← rohm1:PM-15537/mTLS-client-certificate

opened 09:09PM - 17 Dec 24 UTC

rohm1

+1713 -26

## 🎟️ Tracking https://github.com/bitwarden/android/issues/4416 https://bi…twarden.atlassian.net/browse/PM-17240 https://bitwarden.atlassian.net/browse/PM-16157 ## 📔 Objective This PR adds a "Client certificate" menu to the custom environment menu. By clicking on a "Choose" button, the native certificate selection menu will open. User can choose a certificate that will be used for connections to a self-hosted instance. Other apps implement some dynamic logic: if the sever requires mTLS, the user is prompted to select a certificate. While this behavior is more flexible for the user, it is more complicated to implement. With the chosen approach, the app settings must be cleared and a new server must be set up. As users generally do not enable/disable mTLS on a regular basis, I think the tradeoff is acceptable. Additionally the only information that is saved is the certificate name (key alias). If a user update/renew a certificate, as long as the certificate name does not change, the new certificate will be used and there is no need to reset the app. This issue could also be worked around by adding a certificate selection menu to the settings. ## 📸 Screenshots [select-mtls-certificate-complete.webm](https://github.com/user-attachments/assets/f407776d-8ad4-44bf-b451-737afb1857ae) ## Manual tests I did - Upgrade from main does not crash and old settings are still saved/available/used - It is still possible to connect to server without mTLS - A certificate can be selected and saved in the settings. Certificate is used for connections to the server - Close the app and restart: Certificate setting has been persisted and connection is still using mTLS Tested on Android 15 (Pixel 6) and Android 14 (Samsung Galaxy Note 20 Ultra 5G) ## 🦮 Reviewer guidelines - 📝 I am not an Android dev and this is my first time with Kotlin and contributing to the Bitwarden project. While I have tried to follow the architecture, I'm sure I missed some things and and others are not in the right place. I apologize in advance and look forward how to improve the code - ❓ The Android APIs use the _key alias_ wording [(KeyChain.choosePrivateKeyAlias),](https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias(android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String)) and this is also the wording I chose in the code. For the UI I chose to go with _Client certificate_. While this is generally bad to have two wordings for the same thing, _key alias_ cannot be used in the UI because confusing for the user, and _user certificate_ in code is kind of weird because that would be something else that the Android wording. Open for suggestions - 🌱 Following the current approach, we can add a Certificate selection screen to the settings. This way it is not necessary anymore to reset the app to choose a new certificate.

(and more)

Additional description and context:

Thank you!!

Screenshots / Mockup:

Utility7828 · May 19, 2025, 4:20pm

yes please, I’m also interested in this.
This is one of the things that make me hesitate about buying the app or if I should try to contribute to a open source project instead to add this feature.

Tolriq · May 19, 2025, 4:53pm

There’s very little chance I add that soon as it’s not possible to cast with that configuration.

voc0der · May 19, 2025, 5:04pm

Hmm too bad

Personally don’t ever use the streaming nor care…

all local playback

Also isn’t chromecast being sunset?

Tolriq · May 19, 2025, 5:50pm

Chromecast is far from sunset and I also support UPnP.

voc0der · May 19, 2025, 6:04pm

One other major use of your app is to store the file locally in offline cache, which would work in any mode.

I guess it’s just a wish anyways. It is the year of client certs, IMO.

Maybe the google tv streamer uses chromecast but the chromecast line is definitely up.

Tolriq · May 19, 2025, 6:11pm

The protocol still lives in many devices.

And you need to think about the support burden after, half the support is network issues. People think they understand but actually don’t.

voc0der · May 19, 2025, 6:20pm

To be fair, I don’t know many people capable of establishing a mTLS stream that are incapable of solving basic technical network issues. Generally speaking, they can try it in Navidrome in a browser anyways.

That said, I do sympathize that you might encounter users who haven’t set it up and ask for help with that.

In each of the other apps (Immich, HASS, Bitwarden, etc), you are deliberately defining you want your connection to use a client cert, so it’s not really possible by accident.

Another thing of note maybe is that for people using cloudflare makes it very easy to do so I expect more people are going to come knocking. (I am not one of those.. but been seeing the chatter)

Tolriq · May 19, 2025, 6:25pm

If it’s in the interface people will click and complain

You have no idea the dumb support and bad rating I get, and since it’s a paid app, people think for 6€ I include going to their home and fix their network…

voc0der · May 19, 2025, 6:28pm

You’re probably right about clicking and complaining. In the case of immich, you connect to a server, and during that connection, you click advanced, that opens a form with these inputs, so you really have to try hard to accidentally mess things up, but I do understand. I am a career programmer, I am happy go lucky, but I hear you, most people sprint into brick walls.

There’s a few different approaches. Nextcloud uses your Android cert store for example, which can be confusing if you aren’t expecting it. That’s where the immich one shines. You have to specify you actually /want/ a client cert (*.pfx), then upload it, then provide its decrypting password, or it just undoes that configuration.

I have bought your app many times over though and regardless of what happens here, thanks again. Can’t think of any other ways it could possibly be better so rock on

voc0der · July 6, 2025, 11:08am

FWIW, someone made a fork for Jellyfin with mTLS working and it works splendidly:

owv15469 · February 6, 2026, 9:42pm

@Tolriq

I would like to bump this Feature Request and really appreciate if mTLS support will be added to Symfonium.

It’s mostly useful for people who are selfhosting their services, mTLS is a secure way to reach your selfhosted instances (like Emby) without a VPN and without public access to anyone.

For example some other Android apps support it without the need to import a TLS certificate per app, instead the TLS cert is installed inside Android via security settings (Import TLS certificate) and from there it can be used by your app, if you add support for it. For example HomeAssistant added such an integration, on the first connect to my selfhosted service it recognized that the domain of it matches with a certificate that was already imported in Android and it offered me to use it. Since then HomeAssistant never asked again (if app data is not manually cleared) and allows only me to access my service.

I can help with user testing if required, but I sadly cannot develop the feature.

This is the one feature missing for me, really crossing my fingers it will be implemented some day.