Seemingly sporadic HTTP-400 error with client certificates


  • Hi all,
    I sporadically received HTTP 400 errors when connecting to nextcloud/calibre behind nginx reverse proxy which enforces client certificates (in addition to user/password login). The detailed message gave away, that no client certificate had been sent, and logcat showed

    code_text03-09 20:46:33.872 13625 13646 E davx5   : EXCEPTION java.lang.InterruptedException
    03-09 20:46:33.872 13625 13646 E davx5   :      at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:2034)
    03-09 20:46:33.872 13625 13646 E davx5   :      at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2068)
    03-09 20:46:33.872 13625 13646 E davx5   :      at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
    03-09 20:46:33.872 13625 13646 E davx5   :      at android.security.KeyChain.bindAsUser(KeyChain.java:801)
    03-09 20:46:33.872 13625 13646 E davx5   :      at android.security.KeyChain.bind(KeyChain.java:766)
    03-09 20:46:33.872 13625 13646 E davx5   :      at android.security.KeyChain.getCertificateChain(KeyChain.java:621)
    03-09 20:46:33.872 13625 13646 E davx5   :      at at.bitfire.davdroid.HttpClient$Builder.build(HttpClient.kt:6)
    03-09 20:46:33.872 13625 13646 E davx5   :      at at.bitfire.davdroid.syncadapter.SyncManager.<init>(SyncManager.kt:13)
    03-09 20:46:33.872 13625 13646 E davx5   :      at at.bitfire.davdroid.syncadapter.TasksSyncManager.<init>(TasksSyncManager.kt:1)
    03-09 20:46:33.872 13625 13646 E davx5   :      at at.bitfire.davdroid.syncadapter.TasksSyncAdapterService$TasksSyncAdapter.sync(TasksSyncAdapterService.kt:14)
    03-09 20:46:33.872 13625 13646 E davx5   :      at at.bitfire.davdroid.syncadapter.SyncAdapterService$SyncAdapter.onPerformSync(SyncAdapterService.kt:13)
    03-09 20:46:33.872 13625 13646 E davx5   :      at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:272)
    

    It took me a while to track down, how to reproduce this:

  • developer

    This post is deleted!
  • developer

    @stephan-ritscher Thanks for the report.

    “Unfortunately”, I was not able to reproduce the problem, neither with your instructions, nor when throwing InterruptedException or setting the thread as interrupted manually.


  • Hi @rfc2822, thanks for checking.
    I received the HTTP-400 error regularly, at least once a day, often several times.
    Maybe the error is more specific to my setup:

    • radicale behind nginx which enforces client certificates from my own CA (previously nextcloud instead of radicale with same problem)
    • hosted on a rasperry pi (implying slower responses)
    • multiple calendars (6), some of them readonly (if I remember correctly, one of the readonly calendars usually failed, but this might be coincidence - it is also first in alphabet), additionally one addressbook (all on same server with same user account)
    • long history of events, all together ~6000 items in total in the calendars/addressbook

    I was quite busy the last week, but today I was able to apply the fix myself: https://gitlab.com/stephan.ritscher/davx5-ose/-/tree/fix-certs
    I tried to reproduce it using the described procedure and the error was gone. I will monitor it for a couple of days and report back / create a pull request.
    Best regards,
    Stephan


  • Hi @rfc2822,
    good news: while runnning the branch for full 2 days now, the HTTP 400 error didn’t occur one single time. So this seems to fix my problem. I just created the merge request https://gitlab.com/bitfireAT/davx5-ose/-/merge_requests/57 for it.
    Also I wanted to mention, that in the past I experienced Samsung smartphones (with original firmware - that’s actually what I’m currently working with) behave slightly differently regarding crypto API.
    Best regards,
    Stephan

  • developer

    @stephan-ritscher Thanks. I had a look and I think I have discovered the underlying problem. It should be fixed with this commit:

    https://gitlab.com/bitfireAT/davx5-ose/-/commit/e19ae992ea13cfb3e65bead9ea56aba5c3385981

    It doesn’t need extra logic, but instead reduces the code by some lines. Would it be possible that you test this one and tell me whether it fixes your problem?


  • Hi @rfc2822,
    I just managed to install your new fix and after playing around a bit it looks very good. Just as expected, since your code should behave just the same in the error case I had.
    Thanks,
    Stephan

  • developer

    @stephan-ritscher Thanks. So this fix will make it to the next release.

Similar topics