[Freedombox-discuss] Can't get android phone to connect to radicale.

A. F. Cano afc at shibaya.lonestar.org
Sat Feb 4 18:52:40 UTC 2017 

Hello,

Android phone (galaxy S) with cyanogenmod and the improvements described here:

https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

At first I thought it might have been a firewall problem, but I disabled the
firewall and I still couldn't connect.  With the firewall on, I added these
rules:

================== firewall-allow-radicale.sh ==================

IP6TABLES=/system/bin/ip6tables
IPTABLES=/system/bin/iptables
DAVDROID_UID=`dumpsys package at.bitfire.davdroid | grep userId | cut -d= -f2 - | cut -d' ' -f1 -`
CALENDAR_UID=`dumpsys package com.android.calendar | grep userId | cut -d= -f2 - | cut -d' ' -f1 -`
# This returns the UID twice.  Needs fixing.
# CONTACTS_UID=`dumpsys package com.android.contacts | grep userId | cut -d= -f2 - | cut -d' ' -f1 -`
CONTACTS_UID=10001
TASKS_UID=`dumpsys package org.dmfs.tasks | grep userId | cut -d= -f2 - | cut -d' ' -f1 -`
SAFE_NETWORK=192.168.1.0/24

# Allow DAVdroid/radicale and all apps that use it (port 5232)
$IPTABLES -I INPUT-firewall -s $SAFE_NETWORK -p tcp --dport 5232 -j RETURN
$IPTABLES -I droidwall -m owner --uid-owner $DAVDROID_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN
$IPTABLES -I droidwall -m owner --uid-owner $CALENDAR_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN
$IPTABLES -I droidwall -m owner --uid-owner $CONTACTS_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN
$IPTABLES -I droidwall -m owner --uid-owner $TASKS_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN

# Remove transproxy for radicale output
$IPTABLES -t nat -I OUTPUT -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j ACCEPT

===================

which are variations of the ones used for adb/shell (and those work just fine.)
I still can't connect.  Did I screw up something in these firewall rules?

This is what shows up on the log:

=================== Android log ====================

2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Finding initial carddav service configuration
2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Checking user-given URL: https://192.168.1.27/radicale/<user>/
2017-01-28 20:33:55 2 [HttpClient$1] --> PROPFIND https://192.168.1.27/radicale/<user>/ http/1.1
2017-01-28 20:33:55 2 [HttpClient$1] Content-Type: application/xml; charset=utf-8
2017-01-28 20:33:55 2 [HttpClient$1] Content-Length: 290
2017-01-28 20:33:55 2 [HttpClient$1] Depth: 0
2017-01-28 20:33:55 2 [HttpClient$1] 
2017-01-28 20:33:55 2 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind>
2017-01-28 20:33:55 2 [HttpClient$1] --> END PROPFIND (290-byte body)
2017-01-28 20:33:55 2 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLException: Connection closed by peer
2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed
EXCEPTION javax.net.ssl.SSLException: Connection closed by peer

===================

Even though it says "Connection closed by peer" I see no log entry on the
FreedomBox about radicale being accessed.  I have configured Korganizer and
Kaddressbook on a Debian machine and when those sync up with the FreedomBox
I do see an entry.  This seems to imply that the problem happens before
radicale sees any packets.

This is what Davdroid says:

Configuration detection

Couldn't find CalDAV or CardDAV service.

If I disable the android firewall I get this:

=================== Android log ====================

2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] Finding initial carddav service configuration
2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] Checking user-given URL: https://192.168.1.27/radicale/<user>/
2017-01-29 16:59:14 2 [HttpClient$1] --> PROPFIND https://192.168.1.27/radicale/<user>/ http/1.1
2017-01-29 16:59:14 2 [HttpClient$1] Content-Type: application/xml; charset=utf-8
2017-01-29 16:59:14 2 [HttpClient$1] Content-Length: 290
2017-01-29 16:59:14 2 [HttpClient$1] Depth: 0
2017-01-29 16:59:14 2 [HttpClient$1] 
2017-01-29 16:59:14 2 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind>
2017-01-29 16:59:14 2 [HttpClient$1] --> END PROPFIND (290-byte body)
2017-01-29 16:59:14 2 [HttpClient$1] <-- HTTP FAILED: java.net.ConnectException: Failed to connect to /192.168.1.27:443
2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed
EXCEPTION java.net.ConnectException: Failed to connect to /192.168.1.27:443

===================

After the above lines, there is a voluminous traceback that I can provide if
needed.

For now I'm trying to do this from the internal network, on the inside
interface.  The android phone, when connected through wifi to the internal
network works fine and can access the internet.

The file of iptable rules firewall-allow-nontor-browser.sh is installed,
so trying to access port 443 on the local network should not be a
problem.

Can anyone shed some light on this?  Any idea as to where to look/what to do?

Thanks.

Augustine

More information about the Freedombox-discuss mailing list