WebDAV connection fails

[exilsteira]

Connecting to my company's WebDAV server failed. The error message was "Failure" while downloading checksums.dat. After removing all files from my server the error remained. I then tried version 1.6.1 which did the job. The connection to the server was established via VPN in both cases.

[mgmart]

I assume we're talking about SharePoint WebDav (from what I saw on twitter). Thanks for reporting it here.

Unfortunately we got no feedback from our beta-testers :feelsgood:. Which makes it a bit troublesome for you now.

Some questions:

• Is checksums.dat present?
• Is there some further description on the "Failure"?
• Could you try to connect MobileOrg to another (local?) WebDAV server?

If you like, you could come over to our Gitter Lobby so that we could have a more direct conversation.

[exilsteira]

Yes, it's SharePoint WebDAV.

• checksums.dat and any other files are present.
• There is no further info on the type of failure.
• I don't have access to another WebDAV server.

I pasted the WebDAV link to Safari and was connected as expected. Also, switching back to version 1.6.1 worked properly.

[ghost]

Hello, I have the same issue with version 1.7.1 on iOS. I'm connecting to a webdav server provided by Seafile.

The connection is done via SSL and a self signed certificate.

I have created a test account for you HERE, so you can play around with it.

Best Regards, Stefan

[stormlash]

I've had the same issue as well; I haven't been able to run any of the TestFlight betas against my WebDAV setup.

On Tue, Jan 31, 2017 at 4:25 AM Stefan Hagen notifications@github.com wrote:

Hello, I have the same issue with version 1.7.1 on iOS. I'm connecting to a webdav server provided by Seafile https://manual.seafile.com/extension/webdav.html.

The connection is done via SSL and a self signed certificate.

I have created a test account for you HERE https://gist.github.com/xkpd3/0c4a9f2be3d028376d1e11b7de5cdfd2, so you can play around with it.

Best Regards, Stefan

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MobileOrg/mobileorg/issues/167#issuecomment-276314294, or mute the thread https://github.com/notifications/unsubscribe-auth/ACqLQK3S7bHLUIrj9R8-11YhCl830twBks5rXv3pgaJpZM4LyXBC .

-- Peter Sahlstrom peter@stormlash.net http://peter.stormlash.net

[mgmart]

@xkpd3 thank you for the test-setup

The error is related to the self signed certificate. We did not have tested that. Don't know how long it would take to fix that. We need to implement some workflow in very old code.

Are you aware of Let's Encrypt?

@exilsteira, just to make sure. The server you're connecting to uses also self signed certificates?

[mgmart]

Would it be an acceptable workaround to use an officially signed certificate or http-only for the time being?

Beside of Let's Encrypt there is also StartSSL who offers a free certificate. Maybe others but I only know those two.

Updated Known Issues.

[exilsteira]

The server is http:// and can only be accessed within the company network or VPN. I'm pretty sure that VPN uses a self signed certificate.

[ghost]

@mgmart: I'm aware of letsencrypt and I will change certificates in about a week, because I've hit the certificate request limit for this domain while testing and writing the renewal script.

Good to know that this issue is due to the certificate.

[ghost]

@mgmart: This was indeed the issue. I replaced the certificate with one from Symantec and it works fine now.

[mgmart]

@exilsteira I would then presume that your error has an other reason. MobileOrg is not aware of the VPN connection and we're talking about a plain http:// connection in your case. Would you like to join in our beta-test? We could provide you with a special version where we could get some more information dumped then.

[mgmart]

@xkpd3 Good to know. Thanks again for the test-setup, that made it very easy to track it down.

[webframp]

@exilsteira Thanks for reporting here. We're going to work on getting a fix for the issue with self-signed certs. If you'd be able to assist with testing it I can add you to TestFlight, just send me your apple id.

[mgmart]

In Requirements for Connecting Using ATS Apple states that the trust-chain of a certificate must be evaluated.

• The X.509 digital server certificate must meet at least one of the following trust requirements:
  • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
  • Issued by a trusted root CA and installed by the user or a system administrator

Which means that self-signed certificates do only work with the root CA installed on the device. Only way to fix this is by providing documentation how to install a root CA on the device.

[mgmart]

@exilsteira After investigating the issue a bit more, I think the reason is the http connection you are using. Apple enforces the use of https with the latest iOS releases. We've to emphasise this in the documentation.

WebDAV is not supported over http, only https

Regardless wether the connection is by VPN or not.

[exilsteira]

Why does it work with v1.6.1 over http and not with v1.7.1?

[webframp]

@exilsteira Apple made changes related to NSURLSession and related APIs. From the link shared by @mgmart:

App Transport Security (ATS) is enforced by the NSURLSession class and all APIs that use it. ATS is automatically enabled when you link your app against the iOS 9.0 SDK or later

[exilsteira]

Guys, thank you very much for your help. I guess I'm going to have a hard time with our IT to find a way for enabling data exchange.

Regards, andi

[mgmart]

@exilsteira, it's always an good idea to secure any services. Also services which are only accessed from the inside.

Maybe this helps: http://www.cio.de/a/die-groesste-gefahr-kommt-von-innen,2921119

[mgmart]

As it's an ATS error only better documentation => MobileOrg/mobileorg.github.io#14 and clearer error messages => #171 could be provided.

[bsima]

I followed this guide for setting up a root CA, then installed the root CA on my iPhone and trusted it, but I'm still getting an ATS error. Any advice?

[webframp]

Honestly @mgmart was better at webdav debugging, since I never use it with MobileOrg. but if you can post any detailed log messages or errors in a new issue that would be helpful for tracking. Thanks for taking the time to report it @bsima !

[mgmart]

Apple introduced some new ATS features in iOS 11. Best is to use a CA-issued certificate. For self-signed certificates the domain must be configured in Info.plist. Some explanation could be found at Apple's Developer Forum.

[emwaves]

I realized this thread is already closed but I couldn't find the relevant info elsewhere. I am iOs 14 and would like to sync with webdav through my Synology NAS. It used to work earlier but I keep getting this error when I try to sync "ATS Error A secure connection could not be established. Please make sure that you're using a secure connection with valid certificates".

I have no idea how to get the certificates. Is there some documentation I can refer to for setting up the webdav sync with Synology?