Network error :(

[vincegre]

Hi

Installed Passman on my OnePlus 3 (Android 7.1.1) from Play Store. I get a network error when I try to connect at my NextCloud account !
If I don't put https in front it complains incorrect url so I putted https://monserveur and my credentials but I always get a Network error !
Tested with cellphone connected to Wifi !
Something to try or test ?

Thanks

[animalillo]

@vincegre is that the url you entered to the app? If so, it's not a fully quallified domain name, and the phone can't resolve it.

[vincegre]

no no it was just not to reveal real url but sure my server is publicly avalaible on internet and with a full FQDN and SSL protection !
I have no problem with other apps on my phone that synchronise to my NextCloud system !

[brantje]

Is nextcloud installed in a subdirectory?

[vincegre]

nope but SSL is done with a Let's encrypt certificate and I know some old apps don't like much these certificates ! Maybe it's the problem ?

[animalillo]

Denepnding on your android version and your server ssl configuration this could be an issue.

@brantje we need an issue template for this project too

[zmbcgn]

Same here:

android 7.1.1
Nextcloud 12.0 beta2
passman 2.1.2
SSL Cert from letsencrypt / nginx webserver

App works with https://demo.passman.cc/

[animalillo]

Would need more info to debug this out.
Please tell me your:

1. Server port
2. SSL server configuration
3. Owncloud / Nextcloud install path relative to site root
4. Android version
5. Passman version
6. Owncloud / Nextcloud version
7. Server logs (apache and nextcloud)
8. Does the official standard nextcloud/owncloud app works with the device?

[zmbcgn]

Sure:

1. 443
2. https://pastebin.com/SbvQQzxw
3. Sites Rootdirectory
4. 7.1.1
5. 12.0 beta2
6. The connection attempt from the app is neither shown in the nginx nor in the nextcloud logfile.
7. Yes. Maybe worth noticing that I also use the TOTP Plugin of Nextcloud.

[vincegre]

Here are details requested:

Server port is on standard SSL 443 (only SSL, if it tries http it's automatically redirected to https
SSL server configuration is pretty standard (Apache 2 with Let's Encrypt certificate), has no problem with other cellphone apps that connect at my Nextcloud server

Apache 2 with TLS 1.2

NextCloud installed at root of web server

Android 7.1.1 (One Plus 3)

Passman version on Android: 0.12-NIGHTLY

NextCloud 11.0.3 Passman app: 2.1.2

For logs not sure what you need as logs files are so big :(

No problem to connect with official NextCloud app and some other apps that goes with NextCloud. I use TOTP but I generate a specific distinct password for each app that needs to connect to NextCloud.

[nodauf]

Hi,
I had the same issue on my old android.
I solve it by putting the same certificate on my root server and on the subdomain where I host nextcloud.

Is it possible for you to try?

[animalillo]

Maybe it's an issue with old android versions and ssl SNI.

I will have to further investigate this and see if the lib we use for http/s requests has a workaround for this.

[vincegre]

@florianaudon not relevant as I'm in latest version of Android so it has no problem with SNI ! Side note your explanation about your problem looks like your SSL chains were incomplete on your webserver which can cunfuse some browsers !

[brantje]

It's also possible that some cyphers are not supported by Android and thus giving problem.
Since the demo server seems to work with Android i'll post the nginx config here for testing purposes

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

[nado]

Hi, I have the same issue on an old phone.
Android 4.4.2 (Wiko Goa)
Passman-android version 0.12 nightly.
LetsEncrypt certificate
My nginx config :

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout  5m;
ssl_session_cache    shared:SSL:1m;
ssl_ciphers HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128;
ssl_dhparam /etc/ssl/certs/dhparam4.pem;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options DENY;
proxy_hide_header X-Powered-By;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

[animalillo]

please, refer to this table as of android support for ssl cyphers:
https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

[nado]

Can it be a lack of TLS 1.2 support if I can access the very same url on the stock browser, nextcloud and davdroid application ?
Feel free to ask any detail about my configuration, I dont know what you need. Can it be LetsEncrypt related ?

[animalillo]

hmmm maybe the CA from letsencrypt is not included by default in android?

[brantje]

Just found this link: https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498

[vincegre]

@animalillo If you are using Android 4.4.2 with SNI on your web server it won't work as that version of Android was not compatible with SNI protocol so either update the very outdated Droid or move your server to a dedicated IP for the virtual server....

[nado]

@vincegre I suppose you wanted to talk to me as I was the one with a 4.4.2 Android.
If SNI doesnt work, shouldnt it fail for all attempts to connect to my nextcloud instance ?
Also according to https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2 it should support SNI.
I am open to the fact that it might be my Android version which is too old but I am trying to understand why it succeeds to connect to my server on stock browser or other apps and not for passman.

[animalillo]

some apps have implemented workarounds for android flaws, some have not, we have not, we let a library handle that

[nado]

I see, I can’t afford a new IP right now and there’s no update above KitKat for my phone.
Anyway thanks for the help. :)

[vincegre]

@nado yep it was for you ;) Did you check that your Nextcloud instance has a complete SSL chain with sslabs ?? as it's often a problem if CA certificate is missing ! Full cert chain as you can see below:

For upgrade of your phones have you checked alternative ROMs ? often better than original ones included by manufacturer of phone :D

[nado]

Its a phone too cheap to get attention and get a ROM, I once tried making one but I dint have enough time to focus on it.

SSLabs screenshot :

[vincegre]

@nado looks like your only solution now is to change your phone :(

[animalillo]

i could check if it's an app problem if you crate me an account and i can try the app on your server from my phone pm me on telegram

[nado]

I am not on telegram, I still use mails (nado@edited), irc (nado on freenode) :)

[animalillo]

@nado i sent you an email from marcos@[domain].es

[brantje]

Confirmed that android 4.4.2 seems to have issues with some ssl configurations, think on making a workaround or a more descriptive message

[animalillo]

didn't got any telegram at WolFi

[zmbcgn]

now maybe?

[animalillo]

Yes, now i notice you sent it on a private message which i don't get on the desktop app xD
I will try to connect to your server this afternoon and tell you what i can find.

[nicman23]

same here, passman webextension, and the website frontend works fine.

however i believe this is just because i am running it on very very low hardware and it just gets timeout

if you care to test my server also the url is home.nicman23.tk i shall make a test:test acount

[animalillo]

I have published a new alpha release. It seems to fix network issues on some devices and it has more descriptive network errors.

Please, tell me if the new version released on the store fix this problem.
Also note, it might take a few hours for google to process and propagate the update, so please, make sure you are running v0.13 Nightly before saying it does not work.

[nicman23]

my issue seemed to be a missing chain cert from apache.

[zmbcgn]

Works like a charm with the new release. Thx!

[adocampo]

I can also connect now to my server. 👍

[AnisKhanUK]

Hello, I have a Nexus 6p which just got upgraded to Android O.

The app was working before the upgrade from 7.1.2.

I am on the latest nightly but am getting 'Settings incorrect'

Any ideas?
Thanks

[animalillo]

probably wrong username/password. double check url, user and password are correct. I would need more info to help you @AnisKhanUK.

[AnisKhanUK]

You were right - I needed to use my APP password as I had setup 2nd factor authentication.

Brilliant.

[animalillo]

After watching it for a few days, I think it's safe to close this issue! If anyone finds any trouble with this, i will try my best to help them debug it!

Closing! :D

[brantje]

We got reports of @jzielke-nli having trouble, reopening. (Ref #49)

[animalillo]

following the conversation from #49 here
@jzielke-nli, you could pm me the connection details and credendials vía telegram and I could take a look into your issue

[jzielke84]

@animalillo Thanks for offering that. I'll send you some credentials and keep the communication up here as requested by @brantje in #49 .

[jzielke84]

@animalillo Any progress on your debugging efforts?

[animalillo]

didn't have time to check it out yet! will try to this week or at least this weekend! Sorry for the delay, i have recently moved to a new home and things are a little fuzzy yet

[animalillo]

I made some debugging today and seems like the server is not returning an expected field for the vault once you click it to open, is this the same behaviour you are getting @jzielke-nli? Vault fails to open?

For what i've seen is that the server is returning a different json format in which favicon field seems to be renamed to icon and the app can't find the required favicon field.

@brantje is favicon no longer a valid field?

if so the bug would be on es.wolfi.passman.API.Credential line 241

[jzielke84]

@animalillo How can I debug this on my android device?

[xXSTrikeXx]

@jzielke-nli google for adb logcat ;) In nextcloud-android on the startsite there is a small description ;)

[jzielke84]

Confirmed on my device:

03-08 15:30:04.114 27576 27576 E android.nfc.Tag$1@d4f9e29: Unknown network error
03-08 15:30:04.114 27576 27576 E android.nfc.Tag$1@d4f9e29: org.json.JSONException: No value for favicon

[animalillo]

yeah, seems that @brantje changed the field name on the api response on the version you have and that's the problem, if I have time on what is left of the week I will try to release a fix and maybe add a server version check.

[jzielke84]

@animalillo Is the favicon really necessary? I can't remember having seen it in any part of the app. So why not removing this one rather than implementing a fallback routine?

[binsky08]

with the new version 1.0.0 a lot of code has changed.
since nothing has happened here for a long time, I would close the issue soon if the problem does not still exist

[vincegre]

I'm closing it as I don't use passman since few years and no one else has reported same issue ;)