TLS mutual authentication

[foxfire881]

it's dangerous to deploy vaultwarden on internet, although it supports TLS, it is unilateral authentication，everyone could click 'continue' button in browser to pass the https errors to attack vaultwarden(such as brute force attack).

if vaultwarden could support TLS mutual authentication, then only the one who has the client certificate in browser or other clients could access vaultwarden on internet, it will be security more and more.

so, is there a plan to support TLS mutual authentication?

[BlackDex]

I do not think we will implement this for several reasons.

1. The desktop and mobile clients are not supporting this.
2. Rocket does seem to support this, but I'm not sure how and if this will work correctly via a reverse proxy.

If you still want something like this, i suggest to use a reverse proxy which has this functionality, like Caddy, Nginx, Haproxy, traefik etc..
But, remember that the clients probably will not work correctly.

[foxfire881]

I do not think we will implement this for several reasons.

1. The desktop and mobile clients are not supporting this.
2. Rocket does seem to support this, but I'm not sure how and if this will work correctly via a reverse proxy.

If you still want something like this, i suggest to use a reverse proxy which has this functionality, like Caddy, Nginx, Haproxy, traefik etc.. But, remember that the clients probably will not work correctly.

good idea~ i will try to deploy a https reverse proxy in front of vaultwarden with nginx to implements this feature.

[Gandulf78]

It is also possible with Cloudflare. Unfortunately the iOS client doesn't accept mTLS (see bitwarden/mobile#582)

[gtaws]

it's dangerous to deploy vaultwarden on internet, although it supports TLS, it is unilateral authentication，everyone could click 'continue' button in browser to pass the https errors to attack vaultwarden(such as brute force attack).

if vaultwarden could support TLS mutual authentication, then only the one who has the client certificate in browser or other clients could access vaultwarden on internet, it will be security more and more.

so, is there a plan to support TLS mutual authentication?

I was looking into this myself, but for very different reasons. I agree with @BlackDex - if this breaks the clients, then there's no point in implementing this. You're best bet is to use the owasp/modsecurity-crs;nginx image to front vaultwarden so you can have WAF protecting your public facing install. Or just keep your vaultwarden behind a VPN.

[Gandulf78]

One solution to improve security could be to use VPN on demand (on iOS). It is possible with Tailscale though not perfect.
See tailscale/tailscale#10211

[johanneswk]

@gtaws I think that there would actually be a point in implementing it. I'm running a simple Azure Container App (ACA) without VNET integration. A custom domain is used via Cloudflare, however the Vaultwarden installation is also still available via the standard https://*.azurecontainerapps.io. If we were to have mTLS we could do something similar like this: Authenticated Origin Pulls

This would help securing Vaultwarden installations behind Cloudflare, by making sure only Cloudflare can access the Vaultwarden instance before making it accessible to the internet.

[BlackDex]

I do not see that we will add this to Vaultwarden it self. Main reason is, most clients do not support this feature and only cause issues when people try to connect and fail.

Also, there are much better tools out there to handle this in a much more safer way by using the right reverse proxy tools.
Also, most of the time you are probably not running just Vaultwarden in these cases and have multiple tools for which you probably want to restrict access in the same way. Then it is much better, and safer, to handle this all via that one tool.

[gtaws]

@gtaws I think that there would actually be a point in implementing it. I'm running a simple Azure Container App (ACA) without VNET integration. A custom domain is used via Cloudflare, however the Vaultwarden installation is also still available via the standard https://*.azurecontainerapps.io. If we were to have mTLS we could do something similar like this: Authenticated Origin Pulls

This would help securing Vaultwarden installations behind Cloudflare, by making sure only Cloudflare can access the Vaultwarden instance before making it accessible to the internet.

Honestly, I don't think this is a good use of the authors' time here. If you really want mTLS support, just run nginx in front of Vaultwarden in a Docker compose stack and don't expose Vaultwarden directly. I do that today, it takes only a few moments. I do it mainly to prevent anyone who invades the host from being able to access Vaulwarden through the open port. But afterwards I do something similar to you, but on host as well instead of CDN - I put owasp/modsecurity-crs;nginx in front of the whole stack connected to the host network which forwards to this backend nginx stack that requires mTLS to connect. That's the only process that's exposed to internet now. You can do the same. Also, as @BlackDex said, you most likely need additional tools to secure the installations in addition to a WAF. Many tools support nginx and CRS, few support Vaultwarden logs.

[voc0der]

bitwarden/android#4416

maybe relevant here... looks like its happening, and well, who can't be excited about mTLS?

[gtaws]

This is for the client? but who knows how Bitwarden (the company) is handling it from the service side - e.g. AWS load balancers can support mTLS natively.

Update: looking into this deeper, this mTLS issue reported on the client is too notify that the client will crash if the service side requires mTLS. Digging into connected issues in the thread shows that Bitwarden still doesn't plan to support mTLS.

[nut-neek]

It looks like mutual TLS has been introduced in the android app for bitwarden:
https://github.com/bitwarden/android/releases/tag/v2025.1.2
bitwarden/android#4606

However it is hidden behind the feature flag. Since mutual tls in many cases is implemented on load balancer/proxy level it sounds that for vaultwarden it is just a matter of returning the mutual-tls experimental flag to the android client.
Unfortunately it is not yet part of the allowed flags.

[gtaws]

Why are you asking for native support on Vaultwarden for mTLS? You said it yourself - mTLS, in many cases, is impl'ed on the load balance or proxy. And for good reason - it's usually more secure and easier to integrate with other tools there. It's ridiculously easy to put nginx with mTLS in front of Vaultwarden in Docker, and if you plan to expose your setup to public space, it's best to stand up a WAF like owasp/modsecurity-crs:nginx that's regularly updated with rules as well. From what I've read, neither Bitwarden nor Vaultwarden has ever been designed for direct exposure to public internet - it's usually recommended to put a proxy or load balancer with a WAF in front.

[nut-neek]

I am not asking for native support. My point is exactly opposite. I am using Traefik myself to do tls/mtls. And it works wonderful with Bitwarden Firefox extension. The only missing feature on the Vaultwarden side is the experimental feature flag to return to the Bitwarden Android app to unlock the Android app feature I linked. This is what I understood anyways. Maybe I am missing something.

[kpfleming]

This is slightly off-topic, but how is this supposed to work? The mobile app can't know of the flag before contacting the server, and it can't contact the server without using mTLS to authenticate itself. Is the 'feature flag' (configuration) endpoint supposed to be exposed outside of mTLS?

[nut-neek]

This is a good point. I was thinking that I might temporarily disable client cert verification, initialize the app, then import the cert into the app, re-enable clientcert auth. It might be smarter to wait until the feature is not experimental anymore.

[BlackDex]

If I'm correct Rocket doesn't support mTLS IN v0.5, so that will not going to happen.

[voc0der]

As long as the bitwarden app can pass the client certificate to your reverse proxy which has a suitable mTLS setup, that's cool. I just hope that works. It is a bit much to ask for native, and if it works like this, why bother. Rocket already supports TLS. I have such a setup, and I'm waiting for my bitwarden to have said flag so I can test.

If you start a thought angrily in your head wondering why bother with mTLS, just stop. That ship sailed. Either it's going to get done, or not. But it's an incredible feature that should become more widespread and standard.

Based on what @nut-neek said, it sounds like a Vaultwarden server setting might be needed to interact with that feature flag in the app.

And for what it's worth, only the flag is in that official build. Next build in the app, it will have the full mTLS suite in the experimental as well. bitwarden/android#4486 (comment)