CardDAV sync with iOS 12 GM doesn't work

[JWThewes]

I've a setup for CardDAV syncing. With iOS 11 it works fine. When I use a iOS 12 device I get the following error when launching Radicale with --debug:

[700006bb0000] INFO: PROPFIND request for '/principals/' with depth '0' received from 10.0.0.57 using 'iOS/12.0 (16A366) accountsd/1.0' [700006bb0000] DEBUG: Request headers: {'CONTENT_LENGTH': '181', 'CONTENT_TYPE': 'text/xml', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTP_ACCEPT': '/', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'de-de', 'HTTP_BRIEF': 't', 'HTTP_CONNECTION': 'keep-alive', 'HTTP_DEPTH': '0', 'HTTP_HOST': '10.0.0.16:5232', 'HTTP_PREFER': 'return=minimal', 'HTTP_USER_AGENT': 'iOS/12.0 (16A366) accountsd/1.0', 'PATH_INFO': '/principals/', 'QUERY_STRING': '', 'REMOTE_ADDR': '10.0.0.57', 'REMOTE_HOST': '', 'REQUEST_METHOD': 'PROPFIND', 'SCRIPT_NAME': '', 'SERVER_NAME': 'Jans-MacBook-Pro-it-e.local', 'SERVER_PORT': '5232', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SERVER_SOFTWARE': 'WSGIServer/0.2', 'wsgi.errors': <_io.StringIO object at 0x106483ee8>, 'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>, 'wsgi.input': <_io.BufferedReader name=9>, 'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)} [700006bb0000] DEBUG: Sanitized script name: '' [700006bb0000] DEBUG: Sanitized path: '/principals/' [700006bb0000] DEBUG: Request content: <?xml version="1.0"?>

[700006bb0000] DEBUG: Response content: The requested resource could not be found. [700006bb0000] INFO: PROPFIND response status for '/principals/' with depth '0' in 0.001 seconds: 404 Not Found

[Tntdruid]

Works fine for me on iPhone and iPad both run iOS 12

I run i as service tho

[asch]

I have the same issue as @JWThewes and had to downgrade to iOS 11.

[bramjacobse]

I have the same issue as @JWThewes & @asch .

[mbiebl]

ios 12 requires https. It will not send any credentials over http

[holian7]

Dear All,

We have the same issue. I can't find any information on the web to confirm Apple/IOS12 not work with HTTP anymore but our server configured to use it.

May i ask some help how to change the settings to CARDDAV listen on HTTPS also?

[return42]

@holian7 I recommend a reverse proxy setup, see https://radicale.org/proxy/

[holian7]

@holian7 I recommend a reverse proxy setup, see https://radicale.org/proxy/

Dear Return42,

Thank you for your prompt help. Unfortunatelly its "Chinese for me". The currnent radicale also configured someone else for us (who is can't help anymore..).

I will try to understand the description you suggested...

[return42]

Unfortunatelly its "Chinese for me".

:) ... if administration is not your task, a can't recommend to change anything on your server. The risk to break more is given .. It might be better you are looking for someone who can admin this for you / sorry for not beeing helpful.

[holian7]

Maybee you?:)

[return42]

Sorry, no .. I maintain scripts & articles on how to set up Apache and a Radicale server behind .. but its all in german and the audience needs a basic level of administration. Sorry, can't do any more for you ..

[holian7]

Masters,

May i ask some help? Last evening i try to configure a new test environment. I really apperitiate if somebody read this long post and help me:

Here is what i done already:

• installed a new radical server (python, radical..etc)
• change configuration, setup the rights, passwords, server, collection.
• web interface work, i can login

After that i try the reverse proxy suggestion as the following:

• installed apach24 with openssl
• generated certs and from this cert and key make a server and client pfx, than installed to system
• in the apache HTTPd.conf allowed some modul (ssl, proxy, rewrite...etc..) and add the following code to the end of the file:

RewriteEngine On
RewriteRule ^/radicale$ /radicale/ [R,L]

<Location "/radicale/">
    AuthType      Basic
    AuthName      "Radicale - Password Required"
    AuthUserFile  "c:/radicale/radicale/htpasswd.txt"
    Require       valid-user

    ProxyPass        http://localhost:5232/ retry=0
    ProxyPassReverse http://localhost:5232/
    RequestHeader    set X-Script-Name /radicale/
    RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
</Location>

• in the radicale conf file i changed a few lines as following:

  
  [server]
  SSL = True
  certificate = c:/radicale/ssl/server_cert.pem
  key = c:/radicale/ssl/server_key.pem
  certificate_authority = c:/radicale/ssl/client_cert.pem
  protocol = PROTOCOL_TLS
  [auth]
  type = http_x_remote_user
  htpasswd_filename = c:/radicale/htpasswd.txt 
  htpasswd_encryption = plain
  [rights]
  file = c:/radicale/rights.txt 

Now i can open apache on https:\\localhost and open radicale on https:\\localhost:5234. I run radicale with debug param and i see listening on SSL.

But, and here is where i stucked:

If i tried to log in on the radicale web interface i get 403 forbidden errorr? And i can't figure out how to setup my IPhone to connect. 
May i set up Iphone cardav with SSL or i have to keep without SSL? 

Technically the base problem is IOS12 not sync with Radicale server anymore. So you suggest to install reverse proxy? (Reverse proxy will handle the NON-SSL connection from IPHONE? And pass the password in the header to Radicale via SSL? I'm not sure what is the goal..)

'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br', 'HTTP_ACCEPT_LANGUAGE': 'hu-HU,hu;q=0.9,en-US;q=0.8,en;q=0.7', 'HTTP_CONNECTION': 'keep-alive', 'HTTP_HOST': 'localhost:5234', 'HTTP_ORIGIN': 'https://localhost:5234', 'HTTP_REFERER': 'https://localhost:5234/.web/', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) ' 'AppleWebKit/537.36 (KHTML, like Gecko) ' 'Chrome/69.0.3497.100 Safari/537.36', 'PATH_INFO': '/', 'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_CERTIFICATE': {'issuer': ((('countryName', 'AU'),), (('stateOrProvinceName', 'Some-State'),), (('organizationName', 'Internet Widgits Pty Ltd'),)), 'notAfter': 'Feb 18 19:54:51 2046 GMT', 'notBefore': 'Oct 4 19:54:51 2018 GMT', 'serialNumber': 'C5C3617964C1B257', 'subject': ((('countryName', 'AU'),), (('stateOrProvinceName', 'Some-State'),), (('organizationName', 'Internet Widgits Pty Ltd'),)), 'version': 3}, 'REMOTE_HOST': '', 'REQUEST_METHOD': 'PROPFIND', 'SCRIPT_NAME': '', 'SERVER_NAME': '127.0.0.1', 'SERVER_PORT': '5234', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SERVER_SOFTWARE': 'WSGIServer/0.2', 'wsgi.errors': <_io.StringIO object at 0x03615A30>, 'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>, 'wsgi.input': <_io.BufferedReader name=1364>, 'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)} [6878] DEBUG: Sanitized script name: '' [6878] DEBUG: Sanitized path: '/' [6878] DEBUG: Rule '':'' doesn't match 'admin':'.' from section 'admin' [6878] DEBUG: Rule '':'' doesn't match 'dksofor':'.' from section 'dksofor' [6878] DEBUG: Rule '':'' doesn't match 'jssofor':'.' from section 'jssofor' [6878] DEBUG: Rule '':'' doesn't match 'trsofor':'.' from section 'trsofor' [6878] DEBUG: Rule '':'' doesn't match '^user.$':'.' from section 'user' [6878] INFO: Rights: '':'' doesn't match any section [6878] DEBUG: Rule '':'' doesn't match 'admin':'.' from section 'admin' [6878] DEBUG: Rule '':'' doesn't match 'dksofor':'.' from section 'dksofor' [6878] DEBUG: Rule '':'' doesn't match 'jssofor':'.' from section 'jssofor' [6878] DEBUG: Rule '':'' doesn't match 'trsofor':'.' from section 'trsofor' [6878] DEBUG: Rule '':'' doesn't match '^user.$':'.' from section 'user' [6878] INFO: Rights: '':'' doesn't match any section [6878] INFO: Access to '/' denied for anonymous user [6878] DEBUG: Response content: Access to the requested resource forbidden. [6878] INFO: PROPFIND response status for '/' in 0.010 seconds: 403 Forbidden

[holian7]

Works fine for me on iPhone and iPad both run iOS 12

I run i as service tho

Dear Tntdruid,

I really apperitiate if you can help me how to configure the radicale and ios to work with SSL.

Thank you Sir,

[Tntdruid]

Looks like a iOS 12 bug https://discussions.apple.com/thread/8544190

[holian7]

I think also its a bug, but i'm not sure apple will fix it or remove the "switch" from settings, and only let use SSL. Anyway i think i'm on wrong way still, so i just need to setup radicale to work with SSL but i get handsake error... https://github.com/Kozea/Radicale/issues/879

Any idea? Thank you Sir

[Tntdruid]

It fail for me too if i try to add a new account on my iPad, old one works, very odd

[mbauhardt]

@holian7 i have the same issue like you. Can you paste the command you used to create the certificates? or did you ordered somewhere the certs?

I used the ssl commands described https://radicale.org/proxy/

$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999
$ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999

And i get the same handshake error you described in issue #879 also when connect with macOS which works without SSL. I could imagine that we have to use the correct SSL protocol version see #702

[Tntdruid]

I use https://github.com/Neilpang/acme.sh for Let's Encrypt certs

[mbauhardt]

@Tntdruid do you sit directly on radicale or behind a proxy?

[holian7]

@holian7 i have the same issue like you. Can you paste the command you used to create the certificates? or did you ordered somewhere the certs?

I used the ssl commands described https://radicale.org/proxy/

$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999
$ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999

And i get the same handshake error you described in issue #879 also when connect with macOS which works without SSL. I could imagine that we have to use the correct SSL protocol version see #702

Dear Mbauhardt,

I also used the command and link you mentioned. I' tried with SSL2, SS3, TLS, TLS_1_2..etc the error message should changed but not work.... I'm not sure whats wrong, i will try the following, but currently i've no time:

• install the generated client cert to IOS and under the general menu i will activate it
• i will try to figure out if my server parameter in the config file is correct or not? (maybee i can't use c:/ url in the config file? )

I really apperitiate if you help if you got something..

[Tntdruid]

@mbauhardt It as service, i use the imap plugin as auth. Got over 2k client using it.

[holian7]

Dear Tntdruid,

May i ask you some help, some tutorial how to set up your environment? I stucked with ssl, and i have no more hair to pull'n out...

Thank you

[holian7]

i had the idea what if the opensll version different as the python sll version...i checked and so...updated...both the same now...generated new cert with the new openssl.....

same error....everyone suggest a good step-by-step tutorial how to setup a radicale server with ssl?

[holian7]

Dear All,

I step back to the first suggestion - proxy server -. (https://radicale.org/proxy/) I set up an apache proxy.

When i try to open localhost:80 its ask for password, and redirect to radicale. On the debug window i see the login successful. So i tried to setup up the carddav account on my iphone but i stucked. -

Any idea how to setup up carddav account on iphone in this case becuase i can't connect.

Regards,

[seanmurdoch01]

Hi, not sure if same problem, but I have about 80 Iphones of various types, and an apple server that pushes out the carddav settings for my radicale server. All works fines, but for last couple of months, some phones have stopped working. Seems to be any on version 12 or higher. What I have found, for some reason when my apple MDM pushes out the settings to the ios device, it does not install the correct settings for some reason. If I manually enter in the carddav settings it works perfectly. I then used apple configurator to create the mobileconfig and posted onto an internal web and used safari to download the profile. The profile installed ok, but will not get any contacts. Again, if I manually enter the settings, I get contacts. I am only using http on port 5232. Has anyone got same problem when loading profile from MDM ?

[balki]

I was able to get it it working with iphone. As @mbiebl commented, the root cause is ios does not send credentials without ssl. The doc over here https://radicale.org/proxy/ explains how to setup proxy between the web server and radicale. i.e

iphone --> webserver --ssl--> radicale

But what we need is

(a) iphone --ssl--> webserver --> radicale
(OR)
(b) iphone --ssl--> radicale

If you are using a webserver as a reverse proxy (a), you need to check the webserver documentation on how to setup ssl. If you don't have a webserver and directly connect to radicale (b), do the following

1. Create ssl server certificate. Just the fist command from here https://radicale.org/proxy/

   openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999

2. Add the below config to server section. Note: You should not add the certificate_authority part.

   [server]
   ssl = True
   certificate = /path/to/server_cert.pem
   key = /path/to/server_key.pem

   Now it should work. :)