DAVx5 fails to send server-required SSL cert: "400 No required SSL certificate was sent" ?

A Former User

I’ve a Radicale3 server serving up contacts/calendars.

It sits behind an nginx reverse-proxy front end; auth to Radicale is provided by passthrough basic auth.

With the following nginx config – with NO ssl client cert verification – DavX5 connects without issue:

server {

	listen 10.0.1.20:10000 ssl http2;
	server_name front.example.com;
	root /dev/null;
	autoindex off;

	ssl_verify_client off;
	ssl_verify_depth 2;
	ssl_client_certificate "/srv/ssl/myCA_CHAIN.crt";
	ssl_certificate        "/srv/ssl/front.server.EC.crt";
	ssl_certificate_key    "/srv/ssl/front.server.EC.key";

	location / {
		root /srv/nulldir;
		allow 10.0.1.100;
		deny all;
		try_files $uri $uri/ =404;
	}

	location /dav/ {

		proxy_pass https://radicale.example.com:20000/;
		proxy_ssl_name radicale.example.com;
		proxy_set_header  X-Script-Name /dav;

		proxy_ssl_verify on;
		proxy_ssl_verify_depth 2;

		proxy_ssl_certificate         "/srv/ssl/radicale.client.EC.crt";
		proxy_ssl_certificate_key     "/srv/ssl/radicale.client.EC.key";
		proxy_ssl_trusted_certificate "/srv/ssl/myCA_CHAIN.crt";

		auth_basic "DAV - Password Required";
		auth_basic_user_file /srv/auth/radicale.auth;

		include includes/reverse-proxy.inc;
	}

however,

if I require ssl client verification,

-	ssl_verify_client off;
+	ssl_verify_client on;

ensuring a valid cert on the phone, connection fails, apparently because DavX5 fails to send an SSL cert; debug logs follow.

what additional config/settings are required for DavX5 to correctly serve-up the client-side cert for verification @ the server?

--- BEGIN DEBUG INFO ---

SYNCHRONIZATION INFO
Account: Account {name=Card.001 (testuser@example.com Ug), type=at.bitfire.davdroid.address_book}
Authority: com.android.contacts

EXCEPTION
at.bitfire.dav4jvm.exception.HttpException: HTTP 400 
	at at.bitfire.dav4jvm.DavResource.checkStatus(DavResource.kt:6)
	at at.bitfire.dav4jvm.DavResource.checkStatus(DavResource.kt:3)
	at at.bitfire.dav4jvm.DavResource.processMultiStatus(DavResource.kt:1)
	at at.bitfire.dav4jvm.DavResource.propfind(DavResource.kt:11)
	at at.bitfire.davdroid.syncadapter.ContactsSyncManager$queryCapabilities$1.invoke(ContactsSyncManager.kt:3)
	at at.bitfire.davdroid.syncadapter.ContactsSyncManager$queryCapabilities$1.invoke(ContactsSyncManager.kt:1)
	at at.bitfire.davdroid.syncadapter.SyncManager.remoteExceptionContext(SyncManager.kt:1)
	at at.bitfire.davdroid.syncadapter.SyncManager.remoteExceptionContext(SyncManager.kt:9)
	at at.bitfire.davdroid.syncadapter.ContactsSyncManager.queryCapabilities(ContactsSyncManager.kt:3)
	at at.bitfire.davdroid.syncadapter.SyncManager$performSync$1.invoke(SyncManager.kt:6)
	at at.bitfire.davdroid.syncadapter.SyncManager$performSync$1.invoke(SyncManager.kt:1)
	at at.bitfire.davdroid.syncadapter.SyncManager.unwrapExceptions(SyncManager.kt:1)
	at at.bitfire.davdroid.syncadapter.SyncManager.performSync(SyncManager.kt:5)
	at at.bitfire.davdroid.syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter.sync(ContactsSyncAdapterService.kt:15)
	at at.bitfire.davdroid.syncadapter.SyncAdapterService$SyncAdapter.onPerformSync(SyncAdapterService.kt:17)
	at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:334)

HTTP REQUEST
Request{method=PROPFIND, url=https://front.example.com:10000/dav/testuser%40example.com/33333333-3333-3333-3333-333333333333/, headers=[Depth:0, Accept-Encoding:br,gzip]}
<?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><CARD:supported-address-data /><supported-report-set /><n0:getctag xmlns:n0="http://calendarserver.org/ns/" /><sync-token /></prop></propfind>
HTTP RESPONSEResponse{protocol=h2, code=400, message=, url=https://front.example.com:10000/dav/testuser%40example.com/33333333-3333-3333-3333-333333333333/}
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>

REMOTE RESOURCE
https://front.example.com:10000/dav/testuser%40example.com/33333333-3333-3333-3333-333333333333/

SOFTWARE INFORMATION

┌────────────────────────────────┬─────────────┬───────────┬─────────────────────┬───────┐
│ Package                        │ Version     │ Code      │ Installer           │ Notes │
├────────────────────────────────┼─────────────┼───────────┼─────────────────────┼───────┤
│ at.bitfire.davdroid            │ 3.3.1-gplay │ 303010001 │ com.android.vending │       │
│ org.dmfs.tasks                 │ 1.2.3       │ 77600     │ com.android.vending │       │
│ com.android.providers.contacts │ 10          │ 29        │ —                   │       │
│ com.android.providers.calendar │ 10          │ 29        │ —                   │       │
│ com.android.contacts           │ 1.7.31      │ 10731     │ —                   │       │
│ com.dw.contacts                │ 3.1.7.5     │ 3175      │ com.android.vending │       │
│ org.lineageos.etar             │ 10          │ 29        │ —                   │       │
│ com.aboutmycode.betteropenwith │ 1.4.11      │ 53        │ com.android.vending │       │
│ com.appgenix.bizcal            │ 2.40.4      │ 240403    │ com.android.vending │       │
└────────────────────────────────┴─────────────┴───────────┴─────────────────────┴───────┘

SYSTEM INFORMATION

Android version: 10 (lineage_star2lte-userdebug 10 QQ3A.200605.001 eng.rob.20200712.181146 test-keys)
Device: samsung SM-G965F (star2lte)


CONNECTVITY

 ☒ [ Transports: CELLULAR Capabilities: MMS SUPL IA INTERNET NOT_RESTRICTED TRUSTED NOT_VPN VALIDATED NOT_ROAMING FOREGROUND NOT_CONGESTED NOT_SUSPENDED LinkUpBandwidth>=15000Kbps LinkDnBandwidth>=30000Kbps Specifier: <1>]

Data saver: disabled


CONFIGURATION

Power saving disabled: yes
System-wide synchronization: automatically

Notifications:
 - sync  isBlocked=false
  * syncProblems: importance=2
  * syncIoErrors: importance=1
  * syncWarnings: importance=2
 - cert4android: importance=2
 - general: importance=2
 - debug: importance=0

Permissions:
 - READ_CONTACTS: granted
 - WRITE_CONTACTS: granted
 - READ_CALENDAR: granted
 - WRITE_CALENDAR: granted
 - READ_TASKS: granted
 - WRITE_TASKS: granted
 - ACCESS_COARSE_LOCATION: denied


ACCOUNTS

 - Account: shared@example.com

┌──────────────────────────────────┬────────────┬──────────────────────┬───────────────┐
│ Authority                        │ isSyncable │ getSyncAutomatically │ Sync interval │
├──────────────────────────────────┼────────────┼──────────────────────┼───────────────┤
│ at.bitfire.davdroid.addressbooks │ 1          │ true                 │ 60 min        │
│ com.android.calendar             │ 1          │ true                 │ 60 min        │
│ com.android.contacts             │ 0          │ false                │ —             │
│ org.dmfs.tasks                   │ 1          │ true                 │ 60 min        │
└──────────────────────────────────┴────────────┴──────────────────────┴───────────────┘

WiFi only: false
Contact group method: CATEGORIES
Time range (past days): null
Default alarm (min before): null
Manage calendar colors: true
Use event colors: true

   * Address book: Card.Shared (shared@example.com eg)
   
   ┌────────────┬──────────────────────┬───────────────┐
   │ isSyncable │ getSyncAutomatically │ Sync interval │
   ├────────────┼──────────────────────┼───────────────┤
   │ 1          │ true                 │ 1440 min      │
   └────────────┴──────────────────────┴───────────────┘
   
      URL: https://front.example.com:10000/dav/shared%40example.com/22222222-2222-2222-2222-222222222222/
   Read-only: 0

 - Account: testuser@example.com

┌──────────────────────────────────┬────────────┬──────────────────────┬───────────────┐
│ Authority                        │ isSyncable │ getSyncAutomatically │ Sync interval │
├──────────────────────────────────┼────────────┼──────────────────────┼───────────────┤
│ at.bitfire.davdroid.addressbooks │ 1          │ true                 │ 60 min        │
│ com.android.calendar             │ 1          │ true                 │ 60 min        │
│ com.android.contacts             │ 0          │ false                │ —             │
│ org.dmfs.tasks                   │ 1          │ true                 │ 60 min        │
└──────────────────────────────────┴────────────┴──────────────────────┴───────────────┘

WiFi only: false
Contact group method: CATEGORIES
Time range (past days): null
Default alarm (min before): null
Manage calendar colors: true
Use event colors: true

   * Address book: Card.001 (testuser@example.com Ug)
   
   ┌────────────┬──────────────────────┬───────────────┐
   │ isSyncable │ getSyncAutomatically │ Sync interval │
   ├────────────┼──────────────────────┼───────────────┤
   │ 1          │ true                 │ —             │
   └────────────┴──────────────────────┴───────────────┘
   
      URL: https://front.example.com:10000/dav/testuser%40example.com/33333333-3333-3333-3333-333333333333/
   Read-only: 0


DATABASE DUMP

android_metadata

┌────────┐
│ locale │
├────────┤
│ en_US  │
└────────┘

service

┌────┬────────────────────────────┬─────────┬───────────────────────────────────────────────────────────────────────────────┐
│ id │ accountName                │ type    │ principal                                                                     │
├────┼────────────────────────────┼─────────┼───────────────────────────────────────────────────────────────────────────────┤
│ 7  │ shared@example.com         │ carddav │ https://front.example.com:10000/dav/shared%40example.com/                     │
│ 8  │ shared@example.com         │ caldav  │ https://front.example.com:10000/dav/shared%40example.com/                     │
│ 9  │ testuser@example.com       │ carddav │ https://front.example.com:10000/dav/testuser%40example.com/                   │
│ 10 │ testuser@example.com       │ caldav  │ https://front.example.com:10000/dav/testuser%40example.com/                   │
└────┴────────────────────────────┴─────────┴───────────────────────────────────────────────────────────────────────────────┘

sqlite_sequence

┌────────────┬─────┐
│ name       │ seq │
├────────────┼─────┤
│ service    │ 10  │
│ collection │ 10  │
│ homeset    │ 10  │
└────────────┴─────┘

homeset

┌────┬───────────┬───────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────┐
│ id │ serviceId │ url                                                                           │ privBind │ displayName │
├────┼───────────┼───────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────┤
│ 7  │ 8         │ https://front.example.com:10000/dav/shared%40example.com/                     │ 1        │ —           │
│ 8  │ 7         │ https://front.example.com:10000/dav/shared%40example.com/                     │ 1        │ —           │
│ 9  │ 9         │ https://front.example.com:10000/dav/testuser%40example.com/                   │ 1        │ —           │
│ 10 │ 10        │ https://front.example.com:10000/dav/testuser%40example.com/                   │ 1        │ —           │
└────┴───────────┴───────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────┘

collection

┌────┬───────────┬──────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬──────────────────┬────────────┬───────────────┬─────────────────┬─────────────────┬───────────┬──────────┬────────────────┬───────────────┬──────────────────┬────────┬──────┐
│ id │ serviceId │ type         │ url                                                                                                                │ privWriteContent │ privUnbind │ forceReadOnly │ displayName     │ description     │ color     │ timezone │ supportsVEVENT │ supportsVTODO │ supportsVJOURNAL │ source │ sync │
├────┼───────────┼──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────┼────────────┼───────────────┼─────────────────┼─────────────────┼───────────┼──────────┼────────────────┼───────────────┼──────────────────┼────────┼──────┤
│ 7  │ 8         │ CALENDAR     │ https://front.example.com:10000/dav/shared%40example.com/11111111-1111-1111-1111-111111111111/                     │ 1                │ 1          │ 0             │ Cal.Shared      │ Cal.Shared      │ -7021909  │ —        │ 1              │ 1             │ 1                │ —      │ 1    │
│ 8  │ 7         │ ADDRESS_BOOK │ https://front.example.com:10000/dav/shared%40example.com/22222222-2222-2222-2222-222222222222/                     │ 1                │ 1          │ 0             │ Card.Shared     │ Card.Shared     │ —         │ —        │ —              │ —             │ —                │ —      │ 1    │
│ 9  │ 9         │ ADDRESS_BOOK │ https://front.example.com:10000/dav/testuser%40example.com/33333333-3333-3333-3333-333333333333/                   │ 1                │ 1          │ 0             │ Card.001        │ Card.001        │ —         │ —        │ —              │ —             │ —                │ —      │ 1    │
│ 10 │ 10        │ CALENDAR     │ https://front.example.com:10000/dav/testuser%40example.com/44444444-4444-4444-4444-444444444444/                   │ 1                │ 1          │ 0             │ Cal.001         │ Cal.001         │ -10782310 │ —        │ 1              │ 1             │ 1                │ —      │ 1    │
└────┴───────────┴──────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴──────────────────┴────────────┴───────────────┴─────────────────┴─────────────────┴───────────┴──────────┴────────────────┴───────────────┴──────────────────┴────────┴──────┘

room_master_table

┌────┬──────────────────────────────────┐
│ id │ identity_hash                    │
├────┼──────────────────────────────────┤
│ 42 │ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa │
└────┴──────────────────────────────────┘


APP SETTINGS

1. SharedPreferencesProvider canWrite=true

┌───────────────────────────┬───────────┐
│ Setting                   │ Value     │
├───────────────────────────┼───────────┤
│ distrust_system_certs     │ false     │
│ hint_AutostartPermissions │ false     │
│ log_to_file               │ true      │
│ override_proxy            │ false     │
│ override_proxy_host       │ localhost │
│ override_proxy_port       │ 8118      │
└───────────────────────────┴───────────┘

2. DefaultsProvider canWrite=false

┌───────────────────────┬───────────┐
│ Setting               │ Value     │
├───────────────────────┼───────────┤
│ distrust_system_certs │ false     │
│ override_proxy        │ false     │
│ override_proxy_host   │ localhost │
│ override_proxy_port   │ 8118      │
└───────────────────────┴───────────┘

--- END DEBUG INFO ---

rfc2822

Hi,

Did you choose “Login with URL and client certificate” when creating the DAVx5 account?

A Former User

I’d attempted that …

However, in that config it no longer passes the password required for Radicale login.

I need both: access control with cert to the Nginx front-end, and auth control with user:pass to the Radicale back-end.

rfc2822

@pgnd This is currently not possible with DAVx5, because there is no UI for that. See https://gitlab.com/bitfireAT/davx5-ose/-/wikis/Roadmap “login”

A Former User

so it is either-or, not both at the moment.

that feature will be useful – and necessary for several new/planned organization-wide implementations. here, anyway.

is that feature tagged to a milestone? with any associated timeframe?

rfc2822

@pgnd said in DAVx5 fails to send server-required SSL cert: "400 No required SSL certificate was sent" ?:

so it is either-or, not both at the moment.

Yes.

that feature will be useful – and necessary for several new/planned organization-wide implementations. here, anyway.

I see. What is the use case? We have implemented client-side certificate for an organization, too. What is the user name/password needed for? Isn’t the client certificate used to identify the client?

is that feature tagged to a milestone? with any associated timeframe?

No, unfortunately not. There are so many other things at the moment.

rfc2822

There’s also already a merge request for that: https://gitlab.com/bitfireAT/davx5-ose/-/merge_requests/13 (as you can see, it’s only an UI thing; because the engine can already do Basic and client certificates)

But there are some unresolved UI implications yet, and UI is always complicated.

A Former User

What is the use case? We have implemented client-side certificate for an organization, too. What is the user name/password needed for? Isn’t the client certificate used to identify the client?

the nginx front-end reverse-proxies many backend apps.

the client cert provides access control for access to the front-end.

auth to the backend apps is provided by their respective, individual auth mechanisms. typically username + strong-pass.

that’ll eventually be additionally wrapped in an SSO portal that’ll add 2FA.

A Former User

No, unfortunately not. There are so many other things at the moment.

understood.

as much as I personally like the davx5 client functionality/stability, it seems like this may not be the solution that fits for broader use here.