Problem/Justification
To secure network communication it would be very helpfull if mTLS support is added to TrueNAS SCALE. Custom TLS certificates for HTTPS traffic is already implemented, allowing clients to verify the authenticity of the TrueNAS server. However, it is currently not supported for TrueNAS to verify client certificates in the TLS stage (mutual TLS). This prevents certificate based access control to the TrueNAS UI.
As all the TLS and CA infrastructure is there, it would be a small step to support client certificate verification. This would be ideal in enterprise environments as well because it can integrate in already existing PKI. It would only require two settings: a trust store (could reuse existing functionality) and a configuration option to enable mTLS. Optionally, specific certificate attributes can be required (e.g. only accept certificates that have the key usage Data Access)
Impact
I envision it to be a optional configuration (similar to the current TLS/custom CA configuration) that would only be enabled when needed. In this sense I only see security benefits for users that require more assurances regarding access control without any impact for users that choose not to enable the functionality.
User Story
TrueNAS is running in a network behind a reverse proxy. Only the proxy should be allowed to access the TrueNAS UI. Other services reside in the same network and can, without mTLS, access the UI. With mTLS enabled, the administrator of TrueNAS can enforce that the client should produce a valid X509 certificate that is signed by a trusted CA, thus hooking into the already existing PKI of the organisation, providing a strong, cryptographically backed layer of security.