Broken SSL with 0.9.0.4



  • Since I have updated from 0.8.4.1 to 0.9.0.4 via F-Droid a few days ago, all syncing stopped without giving an error, notification, etc. I uninstalled and reinstalled DAVdroid and now I get an error when I try to add a new account which says something along the lines of "No calendars or address books found" (I don't remember the exact wording). The error log consists of many PROPFIND runs, all looking like:

    [debug] PROPFIND on user-given URL failed - EXCEPTION:
    java.io.IOException: stream was reset: PROTOCOL_ERROR
    at com.squareup.okhttp.internal.framed.FramedStream.getResponseHeaders(FramedStream.java:146)
    at ...

    and so on. I use OwnCloud with a certificate from CAcert and have installed their root certificates to /system/etc/security/cacerts/. Before having installed the certs DAVdroid asked whether I accept the unknown server certificate, I clicked yes and received the same error.

    You can try to reproduce the issue under the URL: https://pim.devkid.net/. Using the old version 0.8.4.1 still works. Opening the URL directly in a browser (ASOP browser) also works, however opening in Firefox for Android gives an error sec_error_cert_signature_algorithm_disabled, which might be related to this problem.


  • developer

    Sounds like a SPDY problem. Do you use SPDY/HTTP2? Did you try with disabled SPDY? Did you test the server with https://www.ssllabs.com/ssltest/ ?



  • HTTP2 is enabled in the nginx configuration, however after disabling the "http2" option several checks (like https://tools.keycdn.com/http2-test) still reported that HTTP2 was supported. Weird.

    I tested the server with multiple online SSL test sites, including SSL Labs, the only problems they report are that the cert isn't trusted and that some cipher suites are weak.


  • developer

    @devkid So disabling HTTP2 doesn't change anything? Which nginx version are you using? One person has reported problems with 1.9.5, but my 1.8.x works perfectly with DAVdroid.



  • Well, I removed the "http2" options from nginx, but the tests still said it's enabled, so I'm not quite sure. I'm using nginx version 1.9.5.


  • developer

    @devkid said:

    Well, I removed the "http2" options from nginx, but the tests still said it's enabled, so I'm not quite sure. I'm using nginx version 1.9.5.

    https://www.nginx.com/resources/wiki/start/topics/tutorials/install/ says: "The mainline branch gets new features and bugfixes sooner but might introduce new bugs as well."

    I don't know whether this is even the reason for your problems, but as said above, at least one person had a very similar problem because of HTTP/2/SPDY with nginx 1.9.5. It may of course also be a problem in okhttp which is used by DAVdroid, but I'd try the stable version of nginx first.



  • The thing is: everything worked totally fine with DAVdroid 0.8.4.1 and stopped working with 0.9.0.4, without changing nginx versions or configuration. Therefore I guess the problem lies within DAVdroid (or its libraries), not within nginx.


  • developer

    @devkid DAVdroid 0.8 didn't use okhttp, thus it didn't support HTTP/2 / SPDY.

    Now it does, but it doesn't work with your server. How can you know that DAVdroid is the problem? I have heard this argument ("everything worked before") about 10.000 times, and in 9.999 times the problem was not DAVdroid.

    I'm interested in getting these things working and I don't know whats the cause of your problem, but "it worked before, now it doesn't, so there's a DAVdroid bug, fix it" is not an accurate bug report and it won't help getting these things working.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.