Possible Bug: Client certificates with NextCloud

[DeLoooping]

Hi everyone,

I'm currently in the process of enhancing my NextCloud instance with client certificate authentication and I'm struggling with the DAVx5 setup. Using the provider specific (NextCloud) account creation seems not to support client certificates and trying to add the account with the extended login also did not seem to work.

What I did:

• Set "https://mydomain/remote.php/dav" as the base address
• Added my user credentials
• Selected my client certificate

This yields in the error "The base URL doesn't seem to be an accessible CalDAV/CardDAV URL and service detection was not successful."

The logs tell me:

2024-05-12 22:14:17 155 [servicedetection.DavResourceFinder] Finding initial carddav service configuration
2024-05-12 22:14:17 155 [servicedetection.DavResourceFinder] Checking user-given URL: https://mydomain/remote.php/dav
2024-05-12 22:14:17 155 [network.HttpClient] --> PROPFIND https://mydomain/remote.php/dav http/1.1
2024-05-12 22:14:17 155 [network.HttpClient] Depth: 0
2024-05-12 22:14:17 155 [network.HttpClient] User-Agent: DAVx5/4.3.16.1-ose (2024/04/20; dav4jvm; okhttp/4.12.0) Android/13
2024-05-12 22:14:17 155 [network.HttpClient] Accept-Language: de-DE, de;q=0.7, *;q=0.5
2024-05-12 22:14:17 155 [network.HttpClient] Content-Type: application/xml; charset=utf-8
2024-05-12 22:14:17 155 [network.HttpClient] Content-Length: 290
2024-05-12 22:14:17 155 [network.HttpClient] Host: mydomain
2024-05-12 22:14:17 155 [network.HttpClient] Connection: Keep-Alive
2024-05-12 22:14:17 155 [network.HttpClient] Accept-Encoding: gzip
2024-05-12 22:14:17 155 [network.HttpClient] 
2024-05-12 22:14:17 155 [network.HttpClient] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind>
2024-05-12 22:14:17 155 [network.HttpClient] --> END PROPFIND (290-byte body)
2024-05-12 22:14:17 155 [network.HttpClient] <-- 400 Bad Request https://mydomain/remote.php/dav (77ms)
2024-05-12 22:14:17 155 [network.HttpClient] Server: nginx
2024-05-12 22:14:17 155 [network.HttpClient] Date: Sun, 12 May 2024 20:14:16 GMT
2024-05-12 22:14:17 155 [network.HttpClient] Content-Type: text/html
2024-05-12 22:14:17 155 [network.HttpClient] Content-Length: 230
2024-05-12 22:14:17 155 [network.HttpClient] Connection: close
2024-05-12 22:14:17 155 [network.HttpClient] 
2024-05-12 22:14:17 155 [network.HttpClient] <html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>

So it seems like my client certificate is not used.
The same certificate works flawlessly when used by the NextCloud app or Chrome.

Any ideas what could be the problem here?

Chris

[rfc2822]

Using the provider specific (NextCloud) account creation seems not to support client certificates

True – the login is done in the browser and it can't return the certificate (name) that it used.

and trying to add the account with the extended login also did not seem to work.

Strange, just tried it here and it works as expected.

• When you select the client certificate, is the alias actually shown in the UI?
• Can you provide the complete login logs and send them to https://www.davx5.com/support? It should contain this line:

 D  [settings.SettingsManager] SharedPreferencesProvider: proxy_type = null
 D  [settings.SettingsManager] DefaultsProvider: proxy_type = -1
 D  [settings.SettingsManager] Looked up setting proxy_type -> -1
 D  app_time_stats: avg=167.05ms min=18.61ms max=499.31ms count=6
!!!!! → D  [network.HttpClient] Using provider certificate f633e7fc1009152918f739d8cf4a0f1d9228b21e for authentication (chain length: 2)
 D  [settings.SettingsManager] Looking up setting distrust_system_certs
 D  [settings.SettingsManager] SharedPreferencesProvider: distrust_system_certs = null
 D  [settings.SettingsManager] DefaultsProvider: distrust_system_certs = false
 D  [settings.SettingsManager] Looked up setting distrust_system_certs -> false
 I  [servicedetection.DavResourceFinder] Finding initial carddav service configuration
 I  [servicedetection.DavResourceFinder] Checking user-given URL: https://davtest.dev001.net/radicale/htpasswd+cert/
 D  tagSocket(77) with statsTag=0xffffffff, statsUid=-1
 D  hide(ime(), fromIme=false)
 I  at.bitfire.davdroid:617779ca: onRequestHide at ORIGIN_CLIENT reason HIDE_SOFT_INPUT_BY_INSETS_API fromUser false
 I  at.bitfire.davdroid:617779ca: onCancelled at PHASE_CLIENT_APPLY_ANIMATION
 V  [network.HttpClient] --> PROPFIND https://davtest.dev001.net/radicale/htpasswd+cert/ http/1.1
 V  [network.HttpClient] Depth: 0
 V  [network.HttpClient] User-Agent: DAVx5/4.3.17-alpha.4-ose (2024/05/14; dav4jvm; okhttp/4.12.0) Android/14

[DeLoooping]

• When you select the client certificate, is the alias actually shown in the UI?

Yes, it is. I attached the screenshot to the support request.

• Can you provide the complete login logs and send them to https://www.davx5.com/support? It should contain this line:

Done, but I'm not sure the "line" you are suggesting is in it.

[devvv4ever]

Ticket is here, it will be looked at next week :)

[DeLoooping]

Thanks. In case you cannot find anything based on the attached logs, I could send you credentials and client certificate for a test account on my NextCloud instance. Have a nice weekend, Christopher 18.05.2024 12:01:35 Bernhard Stockmann ***@***.***>:

…

Ticket is here, it will be looked at next week :) — Reply to this email directly, view it on GitHub[#787 (reply in thread)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/BGH2ZRGZ24RGL4PB57CKYULZC4RHXAVCNFSM6AAAAABHTCOWKGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TINZXHAZDI]. You are receiving this because you authored the thread. [Verfolgungsbild][https://github.com/notifications/beacon/BGH2ZRCWCYIQRCGKAEUSFOTZC4RHXA5CNFSM6AAAAABHTCOWKGWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQASCPMA.gif]

[BryanJacobs]

I have a Radicale server sitting behind a nginx proxy that verifies TLS client certificates, and I also see the behaviour of the TLS client certificate not being supplied during service discovery.

[rfc2822]

Thanks. I could reproduce the problem with DAVx5 4.3.16.1, but not with the latest DAVx5 4.4 (which will be released very soon).

Can you try this version: https://cloud.bitfire.at/s/6TAejrJNFiwHPSm (or the latest beta from Google Play)

[BryanJacobs]

Another clue: if I disable the SSL client cert validation (from the server side), davx5 successfully creates the account - BUT the configured account doesn't have the client cert set!

Turning it on after the fact results in the cert being supplied correctly.

My conclusion is that something is wrong specifically with the new-account-setup TLS client cert option, and not with the code for ordinary syncs afterwards. Perhaps the UI isn't actually passing the configured certificate to the sync code during account creation?

[DeLoooping]

Great observation and workaround!
I'll try this asap.

[rfc2822]

I can't reproduce the problem. Everything is working fine here:

Screen_recording_20240525_214636.webm

If someone could send a test account to https://www.davx5.com/support and steps to reproduce (URL etc.), I could give a try with that one.

[DeLoooping]

Credentials and steps to reproduce have been added to ticket #154360.

[rfc2822]

Thanks. I could reproduce the problem with DAVx5 4.3.16.1, but not with the latest DAVx5 4.4 (which will be released very soon).

Can you try this version: https://cloud.bitfire.at/s/6TAejrJNFiwHPSm (or the latest beta from Google Play)

[DeLoooping]

I tried with this version (4.3.17-alpha.3) and can confirm that's it's working with that one.