Non-standard port ignored with untrusted cert



  • I just installed DAVdroid version 1.7.2-ose from F-Droid on OnePlus 5 (OxygenOS 4.5.10 / Android 7.1.1, security patch level 1 July 2017) and tried to add an account with a non-default port in the URL. The server Apache is running ownCloud, the URL I used for configuring DAVdroid was like this: https://server.name.here.invalid:12345/ocloud/remote.php/carddav/

    The server is running a generally non-trusted cert, so I was expecting a cert dialog, which I got. But the certificate shown in the dialog is not from the server software running on the specified 12345 port. Instead the default certificate used on port 443 is shown. When I looked at the network traffic, I initially see traffic to port 12345 and right after I see traffic to 443.

    My guess is that the port 12345 is dropped at some point from the URL actually used. Possibly when the suspect URL/host is passed to a cert manager when it is tasked to show the user the untrusted certificate for acceptance.

    In any case there should not be traffic to other ports when I manually specify a port in the URL. The server httpd logs do not show any http queries, so the requests are apparently aborted by DAVdroid before http is even started inside TLS, which is appropriate, given the cert is still untrusted at that point.


  • developer

    Are you sure that there is no redirect to :443, for instance by the well-known URLs or the server itself?

    Also, please provide verbose DAVdroid logs as described in [READ BEFORE POSTING] What's required to diagnose a problem. The logs contain all requests and how they're built.



  • The connections never got past TLS negotiation so there is no chance that a well-known URL or a redirect could have been given by the server and there are none defined on that 12345 port URL hierarchy anyway. Also there are no related SRV records in the DNS.

    I tried again and looked a bit further into the data streams. It looks like the server configuration had limited cipher suites so that no common suite was found between DAVdroid and the server on port 12345. The client tried twice, both times ending in the server sending a TLS alert due to cipher suite mismatch. After that I see a DNS SRV query for _carddavs._tcp.server.name.here.invalid which is answered with no such name (nxdomain). Immediately after that traffic to port 443 starts and the note about invalid server cert on port 443 is shown. The cipher suite configuration on port 443 has been compatible enough all the time, so a handshake to that port goes far enough to return the certificate.

    I loosened up the acceptable cipher suite list on the server on port 12345 enough to include a cipher suite sent by DAVdroid in the client hello and now it works. Pretty weird / misleading user experience.

    Anyway thank you for your work on DAVdroid! Not having native DAV synchronization is a significant deficiency in Android, DAVdroid seems to be filling that gap nicely.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.