[Bug]: Unable to connect with client ssl cert if server response contains Strict-Transport-Security

[rbran]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

The Desktop client is unable to connect to a server that enforces client side ssl certificated (mTLS, AKA on nginx ssl_verify_client on; ssl_client_certificate /etc/nixos/ca.pem;) if the header Strict-Transport-Security is present on the response.

Steps to reproduce

• Configure a nextcloud server with nginx.
• Add the ssl cert client verification, AKA add ssl_verify_client on; ssl_client_certificate /etc/nixos/ca.pem; to nginx.
• Add the header Strict-Transport-Security to the reply, AKA add add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; to nginx.

The desktop client will fail to connect with a generic "Failed to connect" message.

• Remove the Strict-Transport-Security header (aka just remove the nginx config line from above).

The client will work normally offering Configure client-side TLS certificate.

Expected behavior

Expected to open the wizard with the options "Select a diferent URL", "Retry unencrypted over HTTP (insecure)" and "Configure client-side TLS certificate" .

Instead it just show the error message "Failed to connect to Nextcloud ... contact your server administrator for help".

Which files are affected by this bug

Desktop client initial setup

Operating system

Linux

Which version of the operating system you are running.

NixOS 25.11

Package

Other

Nextcloud Server version

32.0.3

Nextcloud Desktop Client version

4.0.4

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

Are you using an external user-backend?

• Default internal user-backend
• LDAP/ Active Directory
• SSO - SAML
• Other

Nextcloud Server logs

Additional info

No response

[rbran]

The bug sems to happen because of OwncloudSetupWizard::checkDowngradeAdvised identify (correctly) the connection as non-HTTP-downgradable, but this value is passed to the function OwncloudSetupPage::setErrorString that will only call OwncloudConnectionMethodDialog (the client-cert selector screen) if the connection is-HTTP-downgradable.

The solution seem to be checking the QNetworkReply::sslErrors specifically for the QSslError::NoPeerCertificate, indicating the server is requesting a client side TLS cert.

EDIT: I could not find any way to identify a client-side certificate using in QT, so I guess any 400..=403 response could indicate that. In my case the only deference between a client-side cert and normal connection is the TLSv1.3 Record Layer: Handshake Protocol: Certificate Request in the Server Helllo on the TLS connection.