No notification on SSL/TLS certificate errors

AutoImport-childnode

Seems to, sync silently fails if client (mobile) can’t succeed the SSL Handshake with the server. No Error in Accounts, No Notification about a failed sync. Still: “last sync: XX.XX.XXX …” << many days ago visible with a green sync icon in the account settings from DavDroid.

I doubt, this is caused by DavDroid using the SSL Stack from the system that - in my case - doesn’t support TLS 1.1+ but my Server is now hardened to only accept TLS 1.2.

E/davdroid.DavSyncAdapter( 7374): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5e4c5020: Failure in SSL library, usually a protocol error
E/davdroid.DavSyncAdapter( 7374): error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x59e51716:0x00000000)
E/davdroid.DavSyncAdapter( 7374):       at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)

What I expect:

• an visible error

What I wish:

• built in TLS 1.2 support even for old devices
  ^ but yes, there are someway valid arguments against this

Mobile:

• Sony Xperia SP Stock (Android 4.3)

Server:

• https://owncloud.childno.de
• see https://www.ssllabs.com/ssltest/analyze.html?d=owncloud.childno.de for encryption details

rfc2822

DAVdroid uses notifications when there’s a TLS problem. Which DAVdroid version do you use? Did you turn off notifications for DAVdroid?

AutoImport-childnode

running davdroid 0.7.7
but no, I not disabled any notifications.
As I tested it: notifications appear when you try to create a new account and there are errors connecting the server. Once account for davDroid has been set up but background sync fails, it doesn’t notify me

rfc2822

I doubt, this is caused by DavDroid using the SSL Stack from the system that - in my case -doesn’t support TLS 1.1+ but my Server is now hardened to only accept TLS 1.2.

Which Android version do you use, Android 4.0? DAVdroid of course uses the system SSL stack.

But: @childnode, @bks2hsj723:
I can’t reproduce that problem. Could you please provide detailed steps to reproduce that issue? Which DAVdroid version are you using? Are you absolutely sure that you didn’t turn off notifications in Settings / Applications / DAVdroid?

I have tried these two scenarios:

** SCENARIO 1 **

1. Add a trusted self-signed certificate (using CAdroid).
2. Add a DAVdroid account for a server with that certificate.
3. Change the certificate on the server to another self-signed certificate which is not yet trusted.

As expected, an error notification (Trust anchor not found) appears:

** SCENARIO 2 **

1. Add a trusted self-signed certificate (using CAdroid).
2. Add a DAVdroid account for a server with that certificate.
3. Change the server so that it only supports SSLv3, causing a protocol version mismatch because DAVdroid will only connect to TLS v1.0+.

As expected, an error notification (handshake aborted due to protocol error) appears:

AutoImport-childnode

sorry for delay.
apache SSL is:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
davdroid works flawlessly … still on Android 4.3(.0) … strange but good (using davdroid 0.8.1)

But: you can reproduce this issue by simply deny any valid SSL methods:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 or simply
SSLProtocol -All

Then goto android account manager, davdroid and force “sync” in the menu.

expected: davDroid will prompt for this error

got: nothing, but the logcat log is full of errors:

I/ActivityManager(  857): No longer want at.bitfire.davdroid:sync (pid 20205): empty for 3787s
I/ActivityManager(  857): Killing 20205:at.bitfire.davdroid:sync/u0a10218: remove task
I/WindowState(  857): WIN DEATH: Window{42ac0788 u0 at.bitfire.davdroid/at.bitfire.davdroid.ui.MainActivity}
I/ActivityManager(  857): Start proc at.bitfire.davdroid:sync for service at.bitfire.davdroid/.syncadapter.ContactsSyncAdapterService: pid=7670 uid=10218 gids={50218, 3003, 1028}
I/davdroid.DavSyncAdapter( 7670): Performing sync for authority com.android.contacts
D/davdroid.DavSyncAdapter( 7670): Creating new DavHttpClient
V/davdroid.TLS_SNI( 7670): Setting allowed TLS protocols: TLSv1, TLSv1.1, TLSv1.2
V/davdroid.TLS_SNI( 7670): Setting allowed TLS ciphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
V/davdroid.URIUtils( 7670): Normalized URI https://owncloud.childno.de/remote.php/carddav/addressbooks/marcel/kontakte/ -> https://owncloud.childno.de/remote.php/carddav/addressbooks/marcel/kontakte/ assuming that it was an URI or path name
D/davdroid.WebDavResource( 7670): Using preemptive authentication (not compatible with Digest auth)
I/davdroid.SyncManager( 7670): Remotely removing 0 deleted resource(s) (if not changed)
I/davdroid.SyncManager( 7670): Uploading 0 new resource(s) (if not existing)
I/davdroid.SyncManager( 7670): Uploading 0 modified resource(s) (if not changed)
E/davdroid.DavSyncAdapter( 7670): I/O error (Android will try again later)
E/davdroid.DavSyncAdapter( 7670): org.apache.http.conn.HttpHostConnectException: Connection to https://owncloud.childno.de:443 refused
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:146)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:373)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:178)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
E/davdroid.DavSyncAdapter( 7670): 	at at.bitfire.davdroid.webdav.WebDavResource.propfind(WebDavResource.java:273)
E/davdroid.DavSyncAdapter( 7670): 	at at.bitfire.davdroid.resource.RemoteCollection.getCTag(RemoteCollection.java:64)
E/davdroid.DavSyncAdapter( 7670): 	at at.bitfire.davdroid.syncadapter.SyncManager.synchronize(SyncManager.java:58)
E/davdroid.DavSyncAdapter( 7670): 	at at.bitfire.davdroid.syncadapter.DavSyncAdapter.onPerformSync(DavSyncAdapter.java:137)
E/davdroid.DavSyncAdapter( 7670): 	at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:261)
E/davdroid.DavSyncAdapter( 7670): Caused by: java.net.ConnectException: failed to connect to owncloud.childno.de/2a01:488:66:1000:57e6:11d5:0:1 (port 443) after 20000ms: isConnected failed: ECONNREFUSED (Connection refused)
E/davdroid.DavSyncAdapter( 7670): 	at libcore.io.IoBridge.isConnected(IoBridge.java:227)
E/davdroid.DavSyncAdapter( 7670): 	at libcore.io.IoBridge.connectErrno(IoBridge.java:165)
E/davdroid.DavSyncAdapter( 7670): 	at libcore.io.IoBridge.connect(IoBridge.java:116)
E/davdroid.DavSyncAdapter( 7670): 	at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:192)
E/davdroid.DavSyncAdapter( 7670): 	at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:460)
E/davdroid.DavSyncAdapter( 7670): 	at java.net.Socket.connect(Socket.java:837)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:263)
E/davdroid.DavSyncAdapter( 7670): 	at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:124)
E/davdroid.DavSyncAdapter( 7670): 	... 13 more
E/davdroid.DavSyncAdapter( 7670): Caused by: libcore.io.ErrnoException: isConnected failed: ECONNREFUSED (Connection refused)
E/davdroid.DavSyncAdapter( 7670): 	at libcore.io.IoBridge.isConnected(IoBridge.java:212)
E/davdroid.DavSyncAdapter( 7670): 	... 20 more
I/davdroid.DavSyncAdapter( 7670): Sync complete for com.android.contacts
D/davdroid.DavSyncAdapter( 7670): Closing httpClient

to reproduce the Handshake error, I just enable old SSL and disable TLS while davdroid tells us:
Setting allowed TLS protocols: TLSv1, TLSv1.1, TLSv1.2
=>
SSLProtocol -all +SSLv3
but for this, you are right: the error is (now?!) displayed.

So I think my original “bug” nowadays invalid.

But please add some errorhandling for unavailable / misconfigured servers as mentioned above. Or is this “works as designed?” so users are not bugged by errors if the “sysadmin” is rebooting or doing some stuff? Isn’t it possible to then return a “failed” errorcode so the sync is not marked as “completed” in android?

rfc2822

E/davdroid.DavSyncAdapter( 7670): I/O error (Android will try again later)
E/davdroid.DavSyncAdapter( 7670): org.apache.http.conn.HttpHostConnectException: Connection to https://owncloud.childno.de:443 refused

But please add some errorhandling for unavailable / misconfigured servers as mentioned above. Or is this “works as designed?” so users are not bugged by errors if the “sysadmin” is rebooting or doing some stuff?

Indeed, this is considered as a soft error, not only because the server could be rebooted but mainly because mobile clients are not expected to have a stable internet connection. When you’re on mobile data and drive through a tunnel, and Android starts a DAVdroid sync, I guess it would be irritating to show a server error.

Isn’t it possible to then return a “failed” errorcode so the sync is not marked as “completed” in android?

This should be the case. DAVdroid sets a soft sync error, and on my devices, these errors result in a temporary “sync was not successful” error in Android settings, which disappears as soon as the sync is successful.

AutoImport-childnode

ok then … I doubt that there are still some problems but I have not the time to reproduce them atm. so closing with the given explanation is ok for now, I’ll come back if I have more details Thx