Does Bitwarden apps support SSL Mutual Authentication?


#1

I’m thinking of replacing my current password setup from KeePass to Bitwarden using the self-hosted solution.

My current network setup includes a server that is connected to the open internet through an NGINX reverse proxy that demands SSL mutual authentication (AKA client certificate) in order to allow any connection. I do this to reduce the risk of someone accessing my server.

I know I can access the server through a major browser since they all support this feature, but I am interested to know if the first-party app have this feature or not.

Thanks,

Carlos G.


#2

As far as I’ve seen with the platforms, you can set up ports, addresses and other things with the self-hosting client.

However, I’d advise you to check the CLI in order to make scripts related to these actions you’re looking for. GitHub repositories and help documentations are full of info talking about it.

But if you’re expecting this as a GUI option, I think it probably doesn’t offer such feature at this time. It can be available in the future via GUI, though.

This can also be interesting for you:
https://help.bitwarden.com/article/admin-portal/


#3

I actually tried to set up TLS mutual authentication today because I’m interested in a similar setup. The web interface and firefox add-on seemed to work properly with my client certificate. I was pleasantly surprised to see that the desktop app (Windows 10) was able to sync as well after I added the client cert to my Windows user certificates.

Unfortunately I couldn’t get the Android app to authenticate. I was able to get through on chrome but the app just didn’t seem to want to accept the certificate.


#4

So what I’m going to try and do is to use Cloudflare as a proxy for the apps (so the apps would use a different domain name than the web interfaces). Cloudflare supports proxying with TLS mutual authentication so my server would not be accessible without a certificate. I would also only allow Cloudflare to proxy the specific domain that I would use with bitwarden and not any other domain I might have pointing to my machine.

The only downside is that Cloudflare uses it’s own client certificate so now your server has to trust Cloudflare. But to me that seems acceptable.