Synology: TLS/SSL Modern compatibility not working for Caldav

[Jeltel]

Recently I noticed issues with Davx5 and caldav on Synology. I traced this to the modern TLS/SSL compatibility settings within Synology advanced security settings.
With this setting set to modern, Davx5 cannot see caldav agenda's and tasklist, while it works on a non https setting. It does work when set to the middle setting, which is the work around for now.

Offcourse I would like to switch to modern compatibility to keep in line with modern standards. Is this something that can be fixed within Davx5?

If so please :)

[rfc2822]

Hi,

Yes, this is a known problem of Synology: when "high security" is active, the CalDAV server doesn't work anymore. It's actually not related to TLS security, and not related to DAVx⁵ and it also affects other clients. Please contact Synology directly about that.

[rfc2822]

Update: Synology has told us that this problem will be fixed in the next Synology version. They have also provided this workaround:

For the workaround, please sign in to DSM with root privilege via SSH and perform the following:

1. configure the TLS/SSL profile as Modern.
2. vi /usr/syno/etc/security-profile/tls-profile/config/dsm.conf
3. Add the following: proxy_ssl_protocols TLSv1.3;
4. save the change
5. /usr/syno/bin/synosystemctl reload --no-block nginx

Maybe you can try this out? @Jeltel

[Jeltel]

Ok, when setting is set on medium, Caldav works and the content of dsm.conf is:

ssl_protocols               TLSv1.2 TLSv1.3;
ssl_ciphers                  [redacted]
ssl_dhparam                 /usr/syno/etc/ssl/dh2048.pem;

When setting is on modern, Caldav doesn't work and the content of dsm.conf is:
ssl_protocols TLSv1.3;

When adding proxy_ssl_protocols TLSv1.3; to dsm.conf with modern settings and reloading: Caldav works with modern TLS settings :)

ssl_protocols               TLSv1.3;
proxy_ssl_protocols TLSv1.3;

Nice another checkbox on the domain tests :)

[Jeltel]

Latest update (DSM 7.1.1-42962 Update 5) did not fix the issue. The workaround still works though, although it has to be re-applied after the update.

[rfc2822]

Can you please report this to Synology? So that they don't forget

[Jeltel]

Took a while, but I just did. Lets see what their reaction is.

[Jeltel]

So I reached out to Synology and this is their response:

Due to compatibility reasons, some applications have not updated the HTTP library, as a result, when TLS/SSL profile is set to modern compatibility in DSM>Control Panel>Security>Advanced, some apps may fail to connect in HTTPS.
The apps will gradually be updated, but for the moment using intermediate compatibility is the solution.

Which in my opinion says that Davx5 isn't up to date...

Upon a further question upon the in this issue suggested solution:

I saw the article that you sent me, and if we make manipulations in SSH in the NAS is one thing, but we don't provide support for SSH made by the client.
If you want to proceed with the changes indicated in the link it will be at your own risk.
For what i know the solution will come eventually but i cannot assure you when.

So not much to go by unfortunately :(

[rfc2822]

Which in my opinion says that Davx5 isn't up to date...

That's not true. The TLS connection is established without problems. However the server then sends a 404 response to the same request which it replies with 207 when Intermediate security is set.

So this is clearly a server configuration problem, and the fix is already known, see above. The proxyl_ssl_protocols are only Synology-internal and are not related to DAVx5.

Unless this is fixed in DSM, we can't do anything.

[Jeltel]

Let me state that i also think it's Synology's problem.
This person however doesn't seem to understand what exactly is going on, unfortunately.

[rfc2822]

Maybe you can explain it to them. This would help us to avoid further problems.

[Jeltel]

They made a feature request out of it.
We'll see how that fares.

[rfc2822]

Ah and yes, the problem also occurs with Thunderbird, as far as I know. (Which proves that it's not a DAVx5 problem.)