WebDav + self-signed certificates: Unable to connect

[rijabo]

Hi,

Since version 1.8 i android version I cant connect to my WebDav. Gives no network or connection With the same settings it works with 1.7 but after 1.8 and 1.8.2 now it does not work anymore. After i reinstall 1.7 it works again.

I waited after version 1.8 ( no connection to webDav) and installed 1.8.2 now but still no connection with same settings. After reinstal 1.7 works again.

Since i did not find any issues from other users i wanted to ask if this is a know issue.

Thanks in advance.

Regards

[sallar]

Hi @rijabo I just tried replicating the issue on my test device (OnePlus 5T) and I could not. Can you please share more information about your device, operating system and WebDAV server?

Thank you.

[rijabo]

Hi i have a samsung note 9 and webdav is on my nas server When i install 1.8 or 1.8.2 over the 1.7 version i get attached error before it works like a charm When i fresh install 1.8 or 1.8.2 (unistall 1.7) and when input network adress same as before etc i get network error or no network.

Thanks

On Sun, 19 May 2019, 20:22 Sallar Kaboli, notifications@github.com wrote:

Hi @rijabo https://github.com/rijabo I just tried replicating the issue on my test device (OnePlus 5T) and I could not. Can you please share more information about your device, operating system and WebDAV server?

Thank you.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/buttercup/buttercup-mobile/issues/159?email_source=notifications&email_token=AMDJZO736N43UARJZVYDJSLPWGLIBA5CNFSM4HNZX5BKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVXHWNI#issuecomment-493779765, or mute the thread https://github.com/notifications/unsubscribe-auth/AMDJZO57HVBOH23J535KYOTPWGLIBANCNFSM4HNZX5BA .

[Oraagon]

Hello i have the same problem since i updated to 1.8.2 I have a Samsung S8 (Android 9) and use WebDav over http (i know that's not the securest way) on my Synology DS209+

maybe this helps

[ed-asriyan]

Hi! I have Huawei Nova 3, Android 9, and the same problem with v1.8.2. I noticed that issue is reproducing only with http connection, https works well on my device.

[cropd]

I’m also having troubles to connect to my webdav server with my iPhone XS 13.1.

I CAN connect to my self hosted server over https with my browser and the buttercup OSX app, so the connection works.

I tried the webdav node module version 2.2 (this version is used by buttercup mobile) and I’m having the same connection issues (401) but with the latest webdav version it works.

So maybe updating the node module would help me (us)?

[perry-mitchell]

Yeah, that’s doable of course. Our Dropbox client also needs an update so both can go together.

[cropd]

Yeah, that’s doable of course. Our Dropbox client also needs an update so both can go together.

That would be great! I just made an iOS build with "webdav": "^2.9.1" and I can confirm, it's now connecting to my webdav server.

[rijabo]

Im sorry to say i still have te same problem. As i understand it is because i use http://myip:xxxx/webdav and not https . Like i stated in the beginning it worked before. Can it be fixed so http also works? ( im not so expierenced i can setup https ssl on my nas server 😀) thanks in advance.

[sallar]

I think that’s not something we can do on iOS at least unfortunately because of this:

By default, iOS will block any request that’s not encrypted using SSL. If you need to fetch from a cleartext URL (one that begins with http) you will first need to add an App Transport Security exception. If you know ahead of time what domains you will need access to, it is more secure to add exceptions only for those domains; if the domains are not known until runtime you can disable ATS completely. Note however that from January 2017, Apple’s App Store review will require reasonable justification for disabling ATS. See Apple’s documentation for more information.

https://facebook.github.io/react-native/docs/network

[perry-mitchell]

The recommendation being, for right now, to use free services like LetsEncrypt where possible. I don't personally think it's unacceptable to expect that most servers these days should be accessible using HTTPS - but I completely get that this is a pain. I had no idea RN had this restriction. That being said - please take steps to secure your infrastructure, even if it's just a home service :)

[casasfernando]

@perry-mitchell continuing here since https://github.com/buttercup/buttercup-mobile/issues/293 is now closed.

I’ve been doing some research (I’m completely new to mobile development bear that in mind) and found something in the Android development docs (https://developer.android.com/training/articles/security-config) that’s not too complex and may work to allow the app to use trusted CA certs from the system user store.

Basically is about adding the user certificate store to the trusted anchors in the app network security configuration which by default is not included since Android 7.0:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
        <certificates src="user" />
    </trust-anchors>
</base-config>
</network-security-config>

Then this new configuration file needs to be included in the app manifest:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

I think this is still safer than other solutions since it will still require the user to manually install (like in iOS, Linux, etc) the trusted CA certificate in the device.

What do you think? If you want to read more all the information is in the Android dev docs link shared above.

Thanks.

[casasfernando]

@perry-mitchell did you have the chance to read https://github.com/buttercup/buttercup-mobile/issues/159#issuecomment-1025202284? Any thoughts?

[casasfernando]

I just created a PR that fixes https://github.com/buttercup/buttercup-mobile/issues/293 and most likely this issue as well. I tested it on an Android 11 device and I was able to access the webdav fault without any obvious problems.

Hope it helps. Thanks.

[perry-mitchell]

I just created a PR that fixes https://github.com/buttercup/buttercup-mobile/issues/293 and most likely this issue as well

I've merged, but I'm currently on holidays. I'll try to release in the next few days..

Of course that PR only addresses the Android side, and not the iOS side..

[casasfernando]

I just created a PR that fixes #293 and most likely this issue as well

I've merged, but I'm currently on holidays. I'll try to release in the next few days..

Of course that PR only addresses the Android side, and not the iOS side..

Thanks for accepting the PR. 😄

AFAIK iOS didn’t need any fix. I’m using Buttercup on iOS with a private CA certificate for months now without any issues at all. #293 only affected Android. Yet I must admit I didn’t try self-signed certs in either platform but as long as the user trust the certificate at the OS level it should just work on both.

No rush for the new Android release and enjoy your time off.

Thanks

[solomon234]

Bumping this issue, I'm noticing the webdav server I host on my synology has a self signed certificate that typically gets a prompt to trust the server cert. Android Mobile app is unable to connect.

[perry-mitchell]

@solomon234 Have you checked the PR notes? This should have been solved.

I'd accept PRs for fixes here, as I won't have time to get to this myself.

[solomon234]

Sure thing I'll explore a fix and PR if i find one. Thanks!

[tuaris]

Could certificate validation using DANE be a possibility?

[perry-mitchell]

Not sure what that is sorry. But whatever solution is accepted should be at least usable for all android or iOS users, or even better, usable for everyone.

[solomon234]

I haven't been able to look into it yet, I assume though that there should at least be a prompt to continue if the CA is trusted.

[casasfernando]

Bumping this issue, I'm noticing the webdav server I host on my synology has a self signed certificate that typically gets a prompt to trust the server cert. Android Mobile app is unable to connect.

Did you try to install your private root CA certificate (the one used to sign your servers certificate) into your Android device as a trusted root CA certificate? Try that and check if it works. It certainly works for me since the PR above was merged.

[solomon234]

good idea, let me look into that and drop an update.