Client certificate / mTLS support for https streaming radio

[myndzi]

Hi there. I've been using Poweramp for ages and it's a great product. Recently, I've been expanding my home lab, and I've selectively exposed certain internal stuff to the public internet behind a reverse proxy -- that proxy requires client certificates for access. So, for example, my phone can access internal websites such as Home Assistant, but non-authorized computers will be rejected before they even get the opportunity to talk to the backend service.

I'm about to do some work to set up audo playback inside my house, but it struck me that since I already have authenticated internet access to select internal devices, I could also set up streaming radio and play it back with Poweramp. (I could use a browser, but then I wouldn't be able to run the audio in the background as far as I can tell).

The problem is that, while Android supports a certificate store and provides the ability for applications to use it when connecting to things, that doesn't just happen magically for "anything connecting to https". You can see the work that would be involved with this pull request which added this functionality into Home Assistant's Android companion app: https://github.com/home-assistant/android/pull/2526

I'm hoping there's a chance you'd be willing to add something similar to Poweramp. The security benefit is definitely something that only a tech-savvy power-user would appreciate, but I'm hoping that the PR above makes it easy/accessible enough to do that it's not a big deal to add in  

[maxmp]

At this moment https processing is as relaxing as it can be in Poweramp. This is to allow to play same streams you can play in other players and in browser, even from the intranet subnets (192.168./10.) with self-issued certificates, etc.

In your case you want to add checks on client side. I will try to investigate if this is possible currently for Poweramp (as its https/tls code is native independent mbedTls library, not the platform library). Thanks for the request, added to TODO. 

PS Also, you can try to verify if your setup will ever work with Poweramp by using command line ffmpeg + these arguments:

https://ffmpeg.org/ffmpeg-protocols.html#tls

[myndzi]

Thanks for the response.

Just to clarify a little bit, since this can be a confusing topic:

I think what you are saying is that you have disabled server certificate verification in the client connection, which means that the client will accept a connection to a server when that server's certificate is not trusted by the client's certificate chain of trust (e.g. a self-signed certificate).

The feature request here is kind of the opposite "direction of trust". The server asks the _client_ to provide a certificate, and the server is configured to accept or reject the connection based on if the client can supply a trustable certificate.

My server certificate is signed by Let's Encrypt, so it works fine from the client side

It takes some technical set-up to make this work, but from the phone's point of view, you just have to open/install a "pfx" file to add it to the phone's credential store. Then, the client, when talking to the server, needs to be capable of recognizing that the server wants that client credential, and provide a way for the user to select to use it.

 

[maxmp]

@myndzi right, ffmpeg supports tls client authentication, so it should be possible to add this functionality to Poweramp as ffmpeg infrastructure is used for the streaming there.