We are using Client Certificates as a sort of two factor authentication on published webservers which should only be accessable for internal users. So we enroll certificates on the Client devices.
For RocketChat we use a reverse proxy with NGINX wich "client Certs enabled:
ssl_client_certificate /etc/nginx/ssl/private_ca.cert;
ssl_verify_client on;
This works with the Mobile Webapp version in Chrome, Firefox and so on, but does not work with the Android / iOS App.
Please implement Client Certificates in the Apps to make more secure communication available.
Yes, this provides so much security for something that looks quite trivial reading other implementations in other applications assuming you are more experienced of app development than me…
I’ve dove into the code for this a little, this requires fixes/feature supported to be added into http client libraries underlying react native and other assorted frameworks. Pretty much the whole family of frameworks depends on okhttp, which lost some of the TLS client cert features between okhttp2 and okhttp3 so that needs to be re-implemented for that library, then you need to add hooks for that into react native. Finally you can then add support for that to apps like rocket.chat once all the above is done.
The implementation of client certificates to two-way SSL authentication is already in progress. It’s completed on iOS and will be started on Android soon.