Great, thank you for keeping us up-to-date 😉
client certificates and okhttp failures: okhttp3.internal.http2.StreamResetException: stream was reset: HTTP_1_1_REQUIRED
-
Hi everyone,
I’m trying to get davx5 work with SSL client certificates but I’m running into problems so far.
If I access the server using username + password (doing Basic authentication), everything works as expected. As soon as I enable Client Certificates support, setting up a new account in DAVx5 fails with2019-05-22 20:21:33 428 [HttpClient] Using provider certificate michael@test.example.com for authentication (chain length: 2) 2019-05-22 20:21:33 428 [ui.setup.DavResourceFinder] Finding initial carddav service configuration 2019-05-22 20:21:33 428 [ui.setup.DavResourceFinder] Checking user-given URL: https://dav.test.example.com:8843/ 2019-05-22 20:21:33 428 [HttpClient] --> PROPFIND https://dav.test.example.com:8843/ 2019-05-22 20:21:33 428 [HttpClient] Content-Type: application/xml; charset=utf-8 2019-05-22 20:21:33 428 [HttpClient] Content-Length: 290 2019-05-22 20:21:33 428 [HttpClient] Depth: 0 2019-05-22 20:21:33 428 [HttpClient] 2019-05-22 20:21:33 428 [HttpClient] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind> 2019-05-22 20:21:33 428 [HttpClient] --> END PROPFIND (290-byte body) 2019-05-22 20:21:33 428 [HttpClient] <-- HTTP FAILED: okhttp3.internal.http2.StreamResetException: stream was reset: HTTP_1_1_REQUIRED 2019-05-22 20:21:33 428 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed EXCEPTION okhttp3.internal.http2.StreamResetException: stream was reset: HTTP_1_1_REQUIRED at okhttp3.internal.http2.Http2Stream.takeHeaders(Http2Stream.java:158) at okhttp3.internal.http2.Http2Codec.readResponseHeaders(Http2Codec.java:131) at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.java:88) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at at.bitfire.davdroid.HttpClient$UserAgentInterceptor.intercept(HttpClient.kt:246) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:45) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:225) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:250) at okhttp3.RealCall.execute(RealCall.java:93) at at.bitfire.dav4jvm.DavResource$propfind$1.invoke(DavResource.kt:323) at at.bitfire.dav4jvm.DavResource$propfind$1.invoke(DavResource.kt:34) at at.bitfire.dav4jvm.DavResource.followRedirects(DavResource.kt:378) at at.bitfire.dav4jvm.DavResource.propfind(DavResource.kt:318) at at.bitfire.davdroid.ui.setup.DavResourceFinder.checkUserGivenURL(DavResourceFinder.kt:180) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:115) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:73) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$DetectConfigurationModel$detectConfiguration$2.invoke(DetectConfigurationFragment.kt:83) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$DetectConfigurationModel$detectConfiguration$2.invoke(DetectConfigurationFragment.kt:62) at kotlin.concurrent.ThreadsKt$thread$thread$1.run(Thread.kt:30)
A full log is attached davx5-info.txt
Is anyone successfully using authentication via client certificates and has an idea what is going wrong here?
-
https://stackoverflow.com/a/40093039
Reading this it looks like it might be a client problem.
-
Does it work when you disable HTTP/2 in the Web server? Can you provide a test account / certificate so that I can have a look?
-
Hi @rfc2822 ,
thanks for your swift reply!
Turning off HTTP2 support (in my case, IIS 10), does indeed work around the problem.
Unfortunately, this is a global switch for IIS, i.e. I can’t just turn it off for the CardDAV server (at least I haven’t found a way to do that) and I’d prefer not having to turn off HTTP/2 globally.Concerning the test account: The test system is running on a server without a public facing IP address, so this won’t be that easy.
But if this is what it takes to get this issue resolved, I’ll see what I can do. -
Seems like HTTP/2 does not support client certificates yet, so I guess it should be disabled both on server and client until this combination works fine. Will have to investigate further.
-
https://www.apachelounge.com/viewtopic.php?p=33810
This is from 2016, dunno what the current state of affairs is.
-
Can you try whether https://gitlab.com/bitfireAT/davx5-ose/commit/8f62c185ecf06ee532af79c91a45f6fe496c2c2a works for you?
-
Looking good so far. First tests indicate that everything is now working as expected. Thanks!
Should I run into problems, I’ll report back -
@mbiebl Ok. Thanks for the hint. Seems like there’s still plenty of work with HTTP/2…
-
-
@rfc2822 thanks again