3. DAVdroid does not authenticate properly during service discovery

DAVdroid does not authenticate properly during service discovery

  • K

    Hi,

    I have a problem that DAVdroid seems not to authenticate properly to the given URLs. I have my owncloud instance hosted on a webserver in a hidden directory on an unusal port. As this is a private cloud I hope to be able to minimize the problems with script kiddies and similar people. Everything is done with the apache TLS module in order to provide encryption.

    Now, I realized the following behaviour:

    DAVdroid connects to the server and tries to connect to /my-hidden-dir/remote.php/dav .
    As an answer it gets a 401 Unauthorized answer with a Basic auth request.
    In the next step it tries to connect (with proper Athorization header) to /.well-known/caldav and gets 404 not found.
    Then it sleeps for a while and the game starts anew.

    In order to work around that problem I configured /.well-known/caldav and /.well-known/carddav to return a proper 301 header – a step that contradicts the idea of a hidden service. But DAVdroid still authenticaties to the wrong half of the requests.

    I would expect either that DAVdroid tries to connect with correct Authorization headers starting with the first attempts or that it tries a secound request with the same URI if it gets a 401 response. The latter one is probably more flexible and secure. At least this is the behaviour that I can observe when I use wget to imitate these requests. In contrast to DAVdroid, wget is able to connect to my owncloud instance.

    log:
    0_1501880980935_debug.txt

    wget script:
    0_1501882224764_wget.txt

    0
  • R
    developer

    Hello,

    Can you provide a temporary test account so that we can reproduce the problem? Please send it to play@bitfire.at

    0
  • K

    Testing should be done in a sandbox, which I can’t provide. You need access to the server logs. Actually I found out the behaviour when I mirrored back the Authorization header to the client using the apache directive “Header echo ^Authorization” in the owncloud configuration of Apache. I did the tests when I still believed in a server misconfiguration. As DAVdroid is my primary DAV client I have no end user client available at the moment. That’s also the reason why I have to debug the problem on the protocol level and not on the end user level.

    Note: Currently the difference between wget and DAVdroid is that wget gets either “bad request” or “Unauthorized” depending on the provided credentials, which means that wget is able to pass the authorization barrier, while DAVdroid gets “Unauthorized” from the server every other time and implicitely discards the authorized responses as it authorizes only to the service discovery URLs, but not to the real ones.

    Actually I had problems with another Horde installation, which might be related to this problem. In that case I don’t have access to the server logs.

    If I can help another way (testing, debugging etc. ) I’d be glad to help out.

    0
  • R
    developer

    DAVdroid connects to the server and tries to connect to /my-hidden-dir/remote.php/dav .
    As an answer it gets a 401 Unauthorized answer with a Basic auth request.

    Why does it get a 401? It sends the Autorization header preemptively. Maybe the IP has been locked because of too many attempts? Is there any info in the OwnCloud logs?

    I would expect either that DAVdroid tries to connect with correct Authorization headers starting with the first attempts

    That is how it behaves here, and how it should behave. Are you sure that there is no problem with the password? Does it contain non-ASCII characters?

    Can you provide the necessary steps so that we can reproduce the problem? Without that, I can’t do anything.

    0
owncloud 69
Log in to reply